PYSEC-2020-228

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleI...

UBUNTU-CVE-2020-10755

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleI...

Default credentials

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleI...

XSS in Issue - Attachments - CVE-2020-4025

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a rdf content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

XSS in Issue - Attachments - CVE-2020-4025

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a rdf content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed...

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

XSS in Issue - Attachments - CVE-2020-4024

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability issue attachments with a vnd.wap.xhtml+xml content type. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9...

XSS in Issue - Attachments - CVE-2020-4022

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Issue attachments. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed versions: 8.5.5 8.8.2 8.9....

XSS in Issue - Attachments - CVE-2020-4022

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in Issue attachments. Affected versions: version 8.5.5 8.6.0 ≤ version 8.8.2 8.9.0 ≤ version 8.9.1 Fixed versions: 8.5.5 8.8.2 8.9....

Access Control Bypass

phpmailer/phpmailer is vulnerable to access control bypass. The vulnerability exists as the values of name in Content-Type, and filename in Content-Disposition were not sanitized, allowing values ending with ;.jpg to trick mail filters to accept attachments with .jpg extensions...

cxf: does not restrict the number of message attachments

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and...

Serpico Information Disclosure Vulnerability

Serpico is a penetration test report generation and collaboration tool from the Serpico project. An information disclosure vulnerability exists in Serpico versions prior to 1.3.3. The vulnerability stems from the fact that an authenticated non-administrative user can request the...

CVE-2020-12687

An issue was discovered in Serpico before 1.3.3. The /admin/attacmentsbackup endpoint can be requested by non-admin authenticated users. This means that an attacker with a user account can retrieve all of the attachments of all users including administrators from the database...

Anti-Phishing process with advanced phishing attacks simulation

This time I want to write about the service of my friends from Antiphish. They call it “security awareness and employee behaviour management platform”. Simply put, they teach company employees how to detect and avoid phishing attacks. By the way, they are great guys, made a demo for me, prepared...

Unauthorized Access Vulnerability in Beijing Jinfang Times Website Building System

Beijing Jinfang Times Technology Co., Ltd. for enterprises, institutions, government agencies to provide high-end website construction services, headquartered in Beijing, Shijiazhuang has a branch. Unauthorized access vulnerability exists in the Beijing Jinfang Times website building system, whic...

Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China's Ministry...

Oil and Gas Firms Targeted With Agent Tesla Spyware

Attackers are targeting energy companies with the Agent Tesla spyware, as seen in recent spearphishing emails with malicious attachments. Researchers say that until now, Agent Tesla has not been associated with campaigns targeting the oil-and-gas vertical. The emails leverage the tumultuous natur...

CVE-2020-5293

In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5...

Improper access control

In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5...

CVE-2020-5293

PrestaShop CVE-2020-5293 involves improper access controls on the product page (combinations, attachments, and specific prices) affecting versions 1.7.0.0 through 1.7.6.5. The vulnerability is fixed in 1.7.6.5. The Red Hat and other CVE mirrors reiterate this issue. Practical impact as stated: at...