Command injection

Some Huawei products have a command injection vulnerability. Due to insufficient input validation, an attacker with high privilege may inject some malicious codes in some files of the affected products. Successful exploit may cause command injection.Affected product versions include:NIP6300...

DEBIAN-CVE-2020-27638

receive.c in fastd before v21 allows denial of service assertion failure when receiving packets with an invalid type code...

CVE-2020-9870

A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code...

Design/Logic Flaw

A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code...

CVE-2020-9870

A logic issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8. An attacker with memory write capability may be able to bypass pointer authentication codes and run arbitrary code...

Trickbot disrupted

As announced today, Microsoft took action against the Trickbot botnet, disrupting one of the world’s most persistent malware operations. Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure. As a result, operators will no longer be able to use...

SUSE-SU-2020:2872-1 Security update for hexchat

This update for hexchat fixes the following issues: - CVE-2016-2087: A directory traversal was possible if a user could be convinced to connect to a server with a hostname with '..' in its name. bsc1020739. This non-security issue was fixed: - Add dependency on iso-codes and hwdata as hexchat tri...

Account Takeover Fraud Losses Total Billions Across Online Retailers

Account takeover ATO attacks are on the rise, and in fact have become a go-to attack of choice cybercriminals of all stripes. In fact, in 2019 alone, ATO attacks cost consumers and e-commerce retailers a whopping $16.9 billion in losses. To be clear, ATO fraud isn’t new, it’s been a concern for...

QR Codes: A Sneaky Security Threat

If it seems like QR codes have popped up everywhere these days, you’re right. Ever since they were first used by the Japanese auto industry to streamline manufacturing processes, companies everywhere have capitalized on the benefits of QR codes. They’re cheap to deploy and can be applied to almos...

Researchers Uncover 6-Year Cyber Espionage Campaign Targeting Iranian Dissidents

Capping off a busy week of charges and sanctions against Iranian hackers, a new research offers insight into what's a six-year-long ongoing surveillance campaign targeting Iranian expats and dissidents with an intention to pilfer sensitive information. The threat actor, suspected to be of Iranian...

Researchers Uncover 6-Year Cyber Espionage Campaign Targeting Iranian Dissidents

Capping off a busy week of charges and sanctions against Iranian hackers, a new research offers insight into what's a six-year-long ongoing surveillance campaign targeting Iranian expats and dissidents with an intention to pilfer sensitive information. The threat actor, suspected to be of Iranian...

QR Codes Serve Up a Menu of Security Concerns

Quick Response QR codes are booming in popularity and hackers are flocking to exploit the trend. Worse, according to a new study, people are mostly ignorant to how QR codes can be easily abused to launch digital attacks. The reason QR code use is skyrocketing is tied to more brick-and-mortar...

CVE-2020-15709 add-apt-repository print ASNI terminal codes

Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20.10, and 0.92.37.8ubuntu0.1esm1, printed a PPA personal package archive description to the terminal as-is, which allowed PPA owners to provide ANSI terminal escapes to modify terminal contents in unexpected ways...

EAP: field-name is not parsed in accordance to RFC7230

A flaw was discovered in JBoss EAP, where it does not process the header field-name in accordance with RFC7230. Whitespace between the header field-name and colon is processed, resulting in an HTTP response code of 200 instead of a bad request of 400...

Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file...

UBUNTU-CVE-2020-15666

When trying to load a non-video in an audio/video context the exact status code 200, 302, 404, 500, 412, 403, etc. was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to inferring login status ...

Smart Lock Vulnerability

Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code." Users can share temporary...

aflnet

It is an offensive tool for Network protocols. The repository contains a greybox fuzzer for protocol implementations, named AFLNet. It takes a mutational approach and uses state-feedback, in addition to code-coverage feedback, to guide the fuzzing process. AFLNet is seeded with a corpus of record...

CVE-2020-14337

CVE-2020-14337 affects Ansible Tower/Tower, where a data exposure flaw allows an unauthenticated, remote attacker to glean data by error results. Reports describe that HTTP error responses can reveal pages from the default organization and verification of usernames. The issue is associated with T...

CVE-2020-14337

A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data...