Updated openssl packages fix security vulnerability

In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size...

MGASA-2021-0429 Updated openssl packages fix security vulnerability

In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size...

Tenable SecurityCenter OpenSSL < 1.1.1l Multiple Vulnerabilities (TNS-2021-16)

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is missing the security patch SC-202109.1, therefore affected by multiple vulnerabilities as referenced in the 1.1.1l advisory: - A heap-based buffer overflow condition exists due to the...

AES256_Passwd_Store - Secure Open-Source Password Manager

This script securely encrypts or decrypts passwords on disk within a custom database file. It also features functionality to retrieve passwords from a previously generated database file. This script takes a master password from stdin/from memory, then hashes the password using the specified hashi...

FBI Had the REvil Decryption Key

The Washington Post reports that the FBI had a decryption key for the REvil ransomware, but didnt pass it along to victims because it would have disrupted an ongoing operation. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying i...

BlackMatter Strikes Iowa Farmers Cooperative, Demands $5.9M Ransom

A ransomware group believed to be the latest incarnation of the infamous DarkSide cybergang is being blamed for taking out a farmers’ cooperative online network, with extortionists demanding $5.9 million in ransom. The group BlackMatter is credited for the attack on an Iowa collective of farmers...

The vulnerability of the implementation of the SM2 cryptographic algorithm in the OpenSSL library allows a perpetrator to execute arbitrary code.

The vulnerability of the implementation of the SM2 cryptographic algorithm in the OpenSSL library lies in the copying of buffers without checking the size of the input data. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by transmitting specially crafted data for...

Ditch the Alert Cannon: Modernizing IDS is a Security Must-Do

After more than 20 years of underwhelming results, security leaders have accepted their intrusion detection system IDS programs as no more than a compliance checkoff. It’s no secret that IDS’s reliance on bi-modal signatures is brittle, easily evaded and often referred to as an “alert cannon.” Ti...

CVE-2021-29750

IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 201778...

Huawei EulerOS: Security Advisory for nettle (EulerOS-SA-2021-2411)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP2 : nettle (EulerOS-SA-2021-2411)

According to the version of the nettle packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Remote crash in RSA decryption via manipulated ciphertextCVE-2021-3580 Note that Tenable Network Security has extracted the preceding description...

Code injection

A logic error in the room key sharing functionality of matrix-js-sdk aka Matrix Javascript SDK before 12.4.1 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys via crafted Matrix protocol messages that were originally sent by affected Matrix clients...

CVE-2021-40824

The CVE-2021-40824 issue affects Element Android prior to 1.2.2 and matrix-android-sdk2 (Matrix SDK for Android). A logic error in the room key sharing functionality allows a malicious Matrix homeserver in an encrypted room to steal room encryption keys via crafted Matrix protocol messages, enabl...

CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)

!CVE-2021-3546\78: Akkadian Console Server Vulnerabilities \FIXED\https://blog.rapid7.com/content/images/2021/09/akkadian-vuln.jpg Over the course of routine security research, Rapid7 researchers Jonathan Peterson, Cale Black, William Vu, and Adam Cammack discovered that the Akkadian Console ofte...

CVE-2021-33484

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. An attacker can download a copy of the installer, decompile it, and discover a hardcoded IV used to encrypt the username and userid in the comment POST request. Additionally, the attacker can decrypt the encrypted...

CVE-2021-33484

OnyakTech Comments Pro 3.8 is affected in its CommentsService.ashx. An attacker can decompile the installer to find a hardcoded IV used to encrypt usernames and user IDs in the comment POST request, and can decrypt the encryption key by setting the encrypted value as the username, revealing the d...

Exploit for Command Injection in Rubyonrails Rails

CVE-2019-5420 A vulnerability can allow an attacker to guess t...

OESA-2021-1330 OpenSSL security update

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security TLS and Secure Sockets Layer SSL protocols. Security Fixes: In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will ca...

in leantime/leantime

✍️ Description In the source code of the application, the Secret Hash value and the initialization vector is being hardcoded. 🕵️‍♂️ Proof of Concept In the following code snippet, we can see the hard-coded secret hash and IV. private $encryptionMethod = 'AES-256-CBC'; private $secrethash =...

MIK.starlight has unspecified vulnerabilities

MIK.starlight is the departmental access and creation dashboard, reporting and planning environment. A security vulnerability exists in MIK.starlight version 7.9.5.24363, which stems from the use of hard-coded keys in the software, which allows an attacker to decrypt credentials via an unspecifie...