Cisco IOS XR Software Command Injection Vulnerabilities
Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privileges.
For more information about these vulnerabilities,...
Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions
On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively. Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for...
Cisco IOS XR Software Arbitrary File Read and Write Vulnerability
A vulnerability in the SSH Server process of Cisco IOS XR Software could allow an authenticated, remote attacker to overwrite and read arbitrary files on the local device.
This vulnerability is due to insufficient input validation of arguments that are supplied...
Siemens RUGGEDCOM ROX
This advisory contains mitigations for Exposure of Sensitive Information to an Unauthorized Actor, Execution with Unnecessary Privileges, and Improper Handling of Insufficient Permissions or Privileges vulnerabilities in Siemens RUGGEDCOM ROX devices.
Schneider Electric EcoStruxure and SCADAPack
This advisory contains mitigations for a Path Traversal vulnerability in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect software designed for the x70 SCADAPack system.
Cisco IOS XR Software IP Service Level Agreements and Two-Way Active Measurement Protocol Denial of Service Vulnerability
A vulnerability in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause device packet memory to become exhausted or cause the...
Drupal core – Moderately critical – Access Bypass – SA-CORE-2021-010
Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassCVE IDs: CVE-2020-13677Description: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.
Sites that do not have the JSON:API module enabled are...
Drupal core – Moderately critical – Access bypass – SA-CORE-2021-009
Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13676Description: The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.
Sites are only affected if the QuickEdit module (which comes with...
Drupal core – Moderately critical – Access bypass – SA-CORE-2021-008
Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassCVE IDs: CVE-2020-13675Description: Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able...
Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-007
Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13674Description: The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.
Sites are only affected if...
Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-006
Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13673Description: The Drupal core Media module provides a filter to allow embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject...
Mozilla NSS vulnerability CVE-2020-12413
Mozilla NSS vulnerability CVE-2020-12413 Security Advisory Security Advisory Description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when ...
The Biden administration plans to target exchanges supporting ransomware operations with sanctions
US Government is expected to issue sanctions against crypto exchanges, wallets, and traders used by ransomware operations to cash out ransom payments.
The Biden administration is putting in place all the strategies to disrupt the operations of the ransomware...
Former US Intelligence Operatives Admit They Hacked for UAE
Plus: Remote learning spyware, an AT&T bribery scandal, and more of the week's top security news.
Expert discloses details and PoC code for Netgear Seventh Inferno bug
A new critical vulnerability in Netgear smart switches can be exploited by an attacker to potentially execute malicious code and take over impacted devices.
Researchers provided technical details about a recently addressed critical vulnerability, dubbed Seventh Inferno, in Netgear smart...
A new app helps Iranians hide messages in plain sight
Enlarge / An anti-government graffiti that reads in Farsi "Death to the dictator" is sprayed at a wall north of Tehran on September 30, 2009. (credit: Getty Images)
Amid ever-increasing government Internet control, surveillance, and censorship in...
Forget iPhone 13–Apple Suddenly Has A Critical New iPhone 14 Problem
How does Apple resolve the nightmare now awaiting its next iPhone...
