🛡 Cybersecurity & Privacy 🛡 - News

2021-09-20 15:26:44 CVE-2021-24741

The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.

Read

via "National Vulnerability Database". Open / Comment

2021-09-17 21:23:43 CVE-2021-38304

Improper input validation in the National Instruments NI-PAL driver in versions 20.0.0 and prior may allow a privileged user to potentially enable escalation of privilege via local access.

Read

via "National Vulnerability Database". Open / Comment

2021-09-17 21:23:42 CVE-2019-9060

An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1).

Read

via "National Vulnerability Database". Open / Comment

2021-09-17 21:23:40 CVE-2021-41317

XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths.

Read

via "National Vulnerability Database". Open / Comment

2021-09-17 21:23:39 CVE-2021-40825

nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.754 contain a default key vulnerability. The nECY does not force a change to the key upon the initial configuration of an affected device. nECY system controllers utilize an encrypted channel to secure SensorViewTM configuration and monitoring software and nECY to nECY communications. Impacted devices are at risk of exploitation. A remote attacker with IP access to an impacted device could submit lighting control commands to the nECY by leveraging the default key. A successful attack may result in the attacker gaining the ability to modify lighting conditions or gain the ability to update the software on lighting devices. The impacted key is referred to as the SensorView Password in the nECY nLight Explorer Interface and the Gateway Password in the SensorView application. An attacker cannot authenticate to or modify the configuration or software of the nECY system controller.

Read

via "National Vulnerability Database". Open / Comment

2021-09-17 20:36:51 Friday Five 9/117

A $10 million SEC fine, zero trust, and another free ransomware decryptor debuts - catch up on the infosec news of the week with the Friday Five!

Read

via "". Open / Comment

2021-09-11 15:36:41 CVE-2021-40146

A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities.

Read

via "National Vulnerability Database". Open / Comment

2021-09-11 15:36:40 CVE-2021-38555

An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

Read

via "National Vulnerability Database". Open / Comment

2021-09-11 03:30:56 CVE-2021-24040

Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

Read

via "National Vulnerability Database". Open / Comment

2021-09-11 03:30:56 CVE-2021-39207

parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.

Read

via "National Vulnerability Database". Open / Comment