SQL Injection Vulnerability in Off-site Facial Modeling Recognition Annual Inspection System of Shanxi Shangpin Youchuang Technology Co.

Shanxi Shangpin Youchuang Technology Co., Ltd. is a business incubation technology service provider, providing entrepreneurs with a full range of business technology services and more. A SQL injection vulnerability exists in the off-site facial modeling recognition annual inspection system of...

AuthMatrix - A Burp Suite Extension That Provides A Simple Way To Test Authorization

AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are structured in ...

OWASP Threat Dragon - Cross-Platform Threat Modeling Application

Threat Dragon is a free, open-source, cross-platform threat modeling application including system diagramming and a rule engine to auto-generate threats/mitigations. It is an OWASP Incubator Project. The focus of the project is on great UX, a powerful rule engine and integration with other...

The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware

The linchpin of successful cyberattacks, exemplified by nation state-level attacks and human-operated ransomware, is their ability to find the path of least resistance and progressively move across a compromised network. Determining the full scope and impact of these attacks is one the most...

Managing cybersecurity like a business risk: Part 1—Modeling opportunities and threats

In recent years, cybersecurity has been elevated to a C-suite and board-level concern. This is appropriate given the stakes. Data breaches can have significant impact on a company’s reputation and profits. But, although businesses now consider cyberattacks a business risk, management of cyber ris...

SaltStack Salt Master/Minion Unauthenticated RCE

This module exploits unauthenticated access to the runner and sendpub methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager...

SaltStack Salt Master Server Root Key Disclosure

This module exploits unauthenticated access to the prepauthinfo method in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the root key used to authenticate administrative commands to the master. VMware vRealize Operations...

Afternoon Cyber Tea: Building operational resilience in a digital world

Operational resiliency is a topic of rising importance in the security community. Unplanned events, much like the one we are facing today, are reminders of how organizations can be prepared to respond to a cyberattack. Ian Coldwater and I explored a variety of options in my episode of Afternoon...

openSUSE: Security Advisory for python-nltk (openSUSE-SU-2020:0436-1)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Read permissions not enforced for client provided filter expressions in Elide.

Impact It is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence ...

Manage Origin Offload and Egress Fees for Live and On-Demand

Origin offload has received more attention in the past few years as more customers have moved their origins to the cloud. As such, the cost to access data has become an important issue. To support this move, Akamai has developed Cloud Wrapper to provide customers with a way to securely connect to...

Pytm - A Pythonic Framework For Threat Modeling

Define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram DFD, a Sequence Diagram and most important of all, threats to your system. Requirements Linux/MacOS Python 3.x Graphviz package Java...

Fedora Update for libyang FEDORA-2019-dfe0b42bc5

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Important: Red Hat Security Advisory: libyang security update

An update for libyang is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

Important: libyang security update

The libyang package provides a library for YANG data modeling language. libyang is a YANG data modelling language parser and toolkit written and providing API in C. The library is used e.g. in libnetconf2, Netopeer2, sysrepo and FRRouting projects. Security Fixes: libyang: stack-based buffer...

RHEL 8 : libyang (RHSA-2019:4360)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2019:4360 advisory. The libyang package provides a library for YANG data modeling language. libyang is a YANG data modelling language parser and toolkit written...

Fedora Update for libyang FEDORA-2019-9d83929ffa

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 30 Update: libyang-1.0.101-1.fc30

Libyang is YANG data modeling language parser and toolkit written and providing API in C...

[SECURITY] Fedora 31 Update: libyang-1.0.101-1.fc31

Libyang is YANG data modeling language parser and toolkit written and providing API in C...

Failure Modes in Machine Learning

Interesting taxonomy of machine-learning failures pdf that encompasses both mistakes and attacks, or -- in their words -- intentional and unintentional failure modes. It's a good basis for threat modeling...