CVE-2021-33693: SAP Security Patch Day – August 2021 - Product Security Response at SAP - Community Wiki

November security update contains patches for 55 bugs — including six zero-days across various products.

Experts urged users to prioritize patches for Microsoft Exchange and Excel, those favorite platforms so frequently targeted by cybercriminals and nation-state actors.

Mozilla has issued patches for several vulnerabilities in the Firefox browser. We discuss some of the high impact issues. Categories: Exploits and vulnerabilities Tags: cloud clipboard cve-2021-38504 cve-2021-38505 cve-2021-38506 cve-2021-38507 firefox memory safety bugs mozilla QR code xslt *( Read more... ( https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/update-now-mozilla-fixes-security-vulnerabilities-in-firefox-94/ ) )* The post Update now! Mozilla fixes security vulnerabilities in Firefox 94 appeared first on Malwarebytes Labs.

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 198755.

Researchers found that one critical flaw in question is exploitable from the browser, allowing watering-hole attacks.

October 2021's Patch Tuesday includes some patches to block potentially dangerous vulnerabilities. We made a selection of the most "promising" ones. Categories: Exploits and vulnerabilities Tags: microsoft patch tuesday patches vulnerabilities *( Read more... ( https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/patch-now-microsoft-fixes-71-windows-vulnerabilities-in-october-patch-tuesday/ ) )* The post Patch now! Microsoft fixes 71 Windows vulnerabilities in October Patch Tuesday appeared first on Malwarebytes Labs.

Microsoft's October 2021 Patch Tuesday included security fixes for 74 vulnerabilities, one of which is an actively exploited zero-day.

Backdoor.Win32.Prorat.lkt malware suffers from a weak hardcoded password vulnerability.

This code is a proof-of-concept of the recently revealed Azure Active Directory password brute-forcing vulnerability announced by Secureworks.

One of the iOS vulnerabilities was discovered by Citizen Lab; the Google Threat Analysis Group reported iOS and macOS flaws.

IBM Security Verify Bridge 1.0.5.0 does not properly validate a certificate which could allow a local attacker to obtain sensitive information that could aid in further attacks against the system. IBM X-Force ID: 196355.

IBM Security Verify Bridge 1.0.5.0 does not properly validate a certificate which could allow a local attacker to obtain sensitive information that could aid in further attacks against the system. IBM X-Force ID: 196355.

SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.

SAP BusinessObjects Business Intelligence Platform (Crystal Report), versions - 420, 430, does not sufficiently encode user controlled inputs and therefore an authorized attacker can exploit a XSS vulnerability, leading to non-permanently deface or modify displayed content from a Web site.

SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User.

Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.

An important security update addresses vulnerabilities in CoreGraphics and WebKit that may have been actively exploited.

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 198300.

Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges.

Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked.