Sunday, September 19, 2021
Cisco

Cisco IOS XR Software Command Injection Vulnerabilities

Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privileges.  For more information about these vulnerabilities,...
MSRC

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework:  CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.  Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for...
Cisco

Cisco IOS XR Software Arbitrary File Read and Write Vulnerability

A vulnerability in the SSH Server process of Cisco IOS XR Software could allow an authenticated, remote attacker to overwrite and read arbitrary files on the local device. This vulnerability is due to insufficient input validation of arguments that are supplied...
DHS

Siemens RUGGEDCOM ROX

This advisory contains mitigations for Exposure of Sensitive Information to an Unauthorized Actor, Execution with Unnecessary Privileges, and Improper Handling of Insufficient Permissions or Privileges vulnerabilities in Siemens RUGGEDCOM ROX devices.
DHS

Schneider Electric EcoStruxure and SCADAPack

This advisory contains mitigations for a Path Traversal vulnerability in Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect software designed for the x70 SCADAPack system.
Cisco

Cisco IOS XR Software IP Service Level Agreements and Two-Way Active Measurement Protocol Denial of Service Vulnerability

A vulnerability in the IP Service Level Agreements (IP SLA) responder and Two-Way Active Measurement Protocol (TWAMP) features of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause device packet memory to become exhausted or cause the...
Drupal

Drupal core – Moderately critical – Access Bypass – SA-CORE-2021-010

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access BypassCVE IDs: CVE-2020-13677Description: Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are...
Drupal

Drupal core – Moderately critical – Access bypass – SA-CORE-2021-009

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassCVE IDs: CVE-2020-13676Description: The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data. Sites are only affected if the QuickEdit module (which comes with...
Drupal

Drupal core – Moderately critical – Access bypass – SA-CORE-2021-008

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassCVE IDs: CVE-2020-13675Description: Drupal's JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able...
Drupal

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-007

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 14∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13674Description: The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if...
Drupal

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-006

Project: Drupal coreDate: 2021-September-15Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryCVE IDs: CVE-2020-13673Description: The Drupal core Media module provides a filter to allow embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject...
F5 Networks

Mozilla NSS vulnerability CVE-2020-12413

Mozilla NSS vulnerability CVE-2020-12413 Security Advisory Security Advisory Description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when ...
Security Affairs

The Biden administration plans to target exchanges supporting ransomware operations with sanctions

US Government is expected to issue sanctions against crypto exchanges, wallets, and traders used by ransomware operations to cash out ransom payments. The Biden administration is putting in place all the strategies to disrupt the operations of the ransomware...

Former US Intelligence Operatives Admit They Hacked for UAE

Plus: Remote learning spyware, an AT&T bribery scandal, and more of the week's top security news.
Security Affairs

Expert discloses details and PoC code for Netgear Seventh Inferno bug

A new critical vulnerability in Netgear smart switches can be exploited by an attacker to potentially execute malicious code and take over impacted devices. Researchers provided technical details about a recently addressed critical vulnerability, dubbed Seventh Inferno, in Netgear smart...

A new app helps Iranians hide messages in plain sight

Enlarge / An anti-government graffiti that reads in Farsi "Death to the dictator" is sprayed at a wall north of Tehran on September 30, 2009. (credit: Getty Images) Amid ever-increasing government Internet control, surveillance, and censorship in...

Forget iPhone 13–Apple Suddenly Has A Critical New iPhone 14 Problem

How does Apple resolve the nightmare now awaiting its next iPhone...