CVE-2021-23004

CVE-2021-23004 affects BIG-IP MPTCP handling. Affects BIG-IP versions including 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3. The issue allows creation of Multipath TCP (MPTCP) forwarding flows on ...

CVE-2021-22997

On all 7.x and 6.x versions fixed in 8.0.0, BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. Note: Software versions which have reached End of Software Development...

Buffer overflow

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer...

Design/Logic Flaw

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, when running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility,...

How to build a successful application security program

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Tanya Janca, Founder of We Hack Purple...

How to build a successful application security program

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Tanya Janca, Founder of We Hack Purple...

JVN#12559271: Kagemai vulnerable to cross-site scripting

Kagemai provided by daifukuya.com is a bug tracking system to share bug information of the software being developed among its development team. Kagemai contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Consider sto...

Realtek xPON RTL9601D SDK 代码问题漏洞

Realtek xPON RTL9601D SDK is an application chip from Realtek China. It is used for network communication. Realtek xPON RTL9601D SDK 1.9 suffers from a code issue vulnerability that originates from a plaintext storage password, which can be exploited by an attacker to potentially gain access to a...

Intel RST User Interface / Driver Privilege Escalation

Hi @ll, more than 2 years ago I disclosed 2 vulnerabilities leading to local escalation of privilege in the Intel® Rapid Storage Technology Intel® RST User Interface and Driver: see and Intel fixed this vulnerability only in their executable installer. Some time later Intel rewrote or rebuilt thi...

SQL Injection Vulnerability in the Enterprise Management System for Building Materials of Xiangyang Softpro Information Technology Co.

Ltd. is located in Room 2-2712, Jinxiu Tianchi SOHO-A1 Building, Checheng Road, High-tech Zone, Xiangyang City, Hubei Province, is a high-tech enterprise specializing in software development, mobile software customization, software sales and implementation. Ltd.'s Softpro Building Materials...

Zhengzhou Wolong website builder system has SQL injection vulnerability

Zhengzhou Wolong Software Development Co., Ltd, was registered in Henan Province on 2013-03-11, belongs to the information transmission, software and information technology services industry, the main industry is software and information technology services industry, the service field is computer...

Important: Red Hat Security Advisory: nodejs:10 security update

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RLSA-2021:0744 Important: nodejs:14 security and bug fix update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 14.16.0. Security Fixes: nodejs: HTTP2 'unknownProtocol' cause DoS by resource...

Micro Focus Solutions Business Manager Cross-Site Scripting Vulnerability (CNVD-2021-18312)

Micro Focus Solutions Business Manager SBM, Serena Business Manager is a suite of business process automation management solutions from Micro Focus UK. The product is mainly used for process automation, including software development lifecycle and IT business process management. A cross-site...

Remote code execution

Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during development, build, and release processes. This insertion could lead to remote code execution. We believe...

Huawei EulerOS: Security Advisory for pcp (EulerOS-SA-2021-1341)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping

A severe security vulnerability in a popular video calling software development kit SDK could have allowed an attacker to spy on ongoing private video and audio calls. That's according to new research published by the McAfee Advanced Threat Research ATR team today, which found the aforementioned...

Code injection

On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret EMS extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during...

Buffer overflow

On BIG-IP DNS and GTM version 13.1.x before 13.1.0.4, and all versions of 12.1.x and 11.6.x, big3d does not securely handle and parse certain payloads resulting in a buffer overflow. Note: Software versions which have reached End of Software Development EoSD are not evaluated...

Code injection

On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel TMM may restart on the BIG-IP system while passing large bursts of traffic. Note: Software versions which have reached End of Software Development...