New research shows IoT and OT innovation is critical to business but comes with significant risks

The need for much improved IoT and operational technology OT cybersecurity became clearer this year with recent attacks on network devices,1 surveillance systems,2 an oil pipeline,3 and a water treatment facility,4 to name a few examples. To better understand the challenges customers are facing,...

ts.tokens can potentially be reduced more than expected

Handle WatchPug Vulnerability details In the current implementation, ts.lastUpdate will only be updated when ts.tokens 0. Thus, ts.lastUpdate can be outdated for an exited user who deposits again. As a result, by the next time updateStreamInternal is called, ts.tokens will be reduced more than...

WP Mail Logging < 1.10.0 - Outdated Redux Framework

The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues CVE-2021-38312 and CVE-2021-38314, and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314 PoC The first endpoint we can identify is...

PHP <= 5.6.27 / 7.0.x <= 7.0.12 DoS Vulnerability

PHP is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:php:php"; if description...

WP Mail Logging < 1.10.0 - Outdated Redux Framework

The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues CVE-2021-38312 and CVE-2021-38314, and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314 The first endpoint we can identify is gathered...

Cached version of ovl may be outdated

Handle pauliax Vulnerability details Impact contract OverlayV1OVLCollateral and OverlayV1Governance cache ovl address: IOverlayTokenNew immutable public ovl; This variable is initialized in the constructor and fetched from the mothership contract: mothership = IOverlayV1Mothershipmothership; ovl ...

CVE-2022-38146 - URL XSS vulnerability due to outdated jquery in CMS

More info at https://www.silverstripe.org/download/security-releases/cve-2022-38146...

OWASP Top 10 Deep Dive: Getting a Clear View on Vulnerable and Outdated Components

Most of us think of climbing the ladder as a good thing — but when the ladder in question is OWASP's Top 10 list of application security risks, a sudden upward trajectory is cause for alarm rather than encouragement. In the 2021 edition of the OWASP list, vulnerable and outdated components moved ...

django-saas-email (>=0.1.21 <=0.1.29), geonode (=3.3.3) +4 more potentially affected by CVE-2024-21910 via django-tinymce (>=1.5.1b4 <=3.3.0)

django-tinymce PYPI version =1.5.1b4, =0.1.21, =0.1.3.2, =0.3.0, =0.5.2 - zinnia-wysiwyg-tinymce =1.4.0 Source cves: CVE-2024-21910 Source advisory: OSV:GHSA-R8HM-W5F7-WJ39...

Historic data being requested as a part of MochiVault.withdraw and borrow functions can be outdated, so a user can avoid historic data update with sending old piece of _data

Handle hyh Vulnerability details Impact Asking to provide historic data proof doesn't imply that pricing is current, a malicious user can wait for market volatility and do deposit/borrow sequence with outdated price, borrowing more than current market value of supplied assets for example, suppose...

Ongoing Cyber Threats to U.S. Water and Wastewater Systems

Summary Immediate Actions WWS Facilities Can Take Now to Protect Against Malicious Cyber Activity • Do not click on suspicious links. • If you use RDP, secure and monitor it. • Usestrong passwords. • Usemulti-factor authentication. Note: This advisory uses the MITRE Adversarial Tactics, Technique...

SUSE: Security Advisory (SUSE-SU-2021:3463-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-41153

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In evm crate 0.31.0, JUMPI opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a...

Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components

Attacks against known vulnerabilities are one of the most common security risks. Have you seen an updated OWASP Top-10? A risk that used to be A09 Using Components with Known Vulnerabilities is now titled A06:2021-Vulnerable and Outdated Components. This category moved up to 06 from 9 in 2017. We...

CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems

The U.S. Cybersecurity Infrastructure and Security Agency CISA on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities WWS, highlighting five incidents that occurred between March 2019 and August 2021. "This activity—which includes attempts to...

CentOS 8 : grafana (CESA-2021:3771)

The remote CentOS Linux 8 host has a package installed that is affected by a vulnerability as referenced in the CESA-2021:3771 advisory. - grafana: Snapshot authentication bypass CVE-2021-39226 Note that Nessus has not tested for this issue but has instead relied only on the application's...

GHSA-QH54-9VC5-M9FG MD5 hash support in github.com/foxcpp/maddy

Impact This vulnerability affects maddy 0.5.1, 0.5.0 users using auth.shadow module and an extremely outdated system that still allows MD5 hashes in /etc/shadows. Patches Patch is available as part of the 0.5.2 release. Workarounds Ensure MD5 hashes are not present in /etc/shadow...

Mozilla Firefox ESR < 78.15

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 78.15. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-44 advisory. - Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bug...

The 2021 OWASP Top 10 Have Evolved: Here's What You Should Know

Late last week, the Open Web Application Security Project OWASP released its top 10 list of critical web application security risks. The last OWASP Top 10 came out in 2017, and in the intervening 4 years, we've seen a fundamental shift in application security that includes greater emphasis on...

A9: Using Components with Known Vulnerabilities ❗️ — Top 10 OWASP 2017

A9: Using Components with Known Vulnerabilities ❗️ — Top 10 OWASP 2017 Introduction A9: Using Components with Known Vulnerabilities What are Components With Known Vulnerabilities? Top 10 OWASP describes the term components as a very broad term. It can either be a full piece of software that our...