Channel address:
Categories:
Technologies
Language: English
Subscribers:
19.82K
Description from channel
🗞 The finest daily news on cybersecurity and privacy.
🔔 Daily releases.
💻 Is your online life secure?
📩 lalilolalo.dev@gmail.com
Ratings & Reviews
Reviews can be left only by registered users. All reviews are moderated by admins.
5 stars
0
4 stars
2
3 stars
0
2 stars
0
1 stars
1
The latest Messages 30
2021-09-20 15:26:44
CVE-2021-24741 The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
Read
via "
National Vulnerability Database".
60 views12:26
2021-09-17 21:23:43
CVE-2021-38304 Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access.
Read
via "
National Vulnerability Database".
35 views18:23
2021-09-17 21:23:42
CVE-2019-9060 An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1).
Read
via "
National Vulnerability Database".
35 views18:23
2021-09-17 21:23:40
CVE-2021-41317 XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths.
Read
via "
National Vulnerability Database".
31 views18:23
2021-09-17 21:23:39
CVE-2021-40825 nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.
Read
via "
National Vulnerability Database".
28 views18:23
2021-09-17 20:36:51
Friday Five 9/117 A $10 million SEC fine, zero trust, and another free ransomware decryptor debuts - catch up on the infosec news of the week with the Friday Five!
Read
via "".
65 views17:36
2021-09-11 15:36:41
CVE-2021-40146 A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities.
Read
via "
National Vulnerability Database".
189 views12:36
2021-09-11 15:36:40
CVE-2021-38555 An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.
Read
via "
National Vulnerability Database".
188 views12:36
2021-09-11 03:30:56
CVE-2021-24040 Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
Read
via "
National Vulnerability Database".
239 views00:30
2021-09-11 03:30:56
CVE-2021-39207 parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
Read
via "
National Vulnerability Database".
232 views00:30