A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL.
Daily Archives: June 2, 2022
CVE-2020-20971
Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.
CVE-2019-12351
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.
CVE-2019-12350
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma.
CVE-2019-12349
An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter.
USN-5458-1: Vim vulnerabilities
It was discovered that Vim was incorrectly handling virtual column
position operations, which could result in an out-of-bounds read. An
attacker could possibly use this issue to expose sensitive
information. (CVE-2021-4193)
It was discovered that Vim was not properly performing bounds checks
when updating windows present on a screen, which could result in a
heap buffer overflow. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code. (CVE-2022-0213)
It was discovered that Vim was incorrectly handling window
exchanging operations when in Visual mode, which could result in an
out-of-bounds read. An attacker could possibly use this issue to
expose sensitive information. (CVE-2022-0319)
It was discovered that Vim was incorrectly handling recursion when
parsing conditional expressions. An attacker could possibly use this
issue to cause a denial of service or execute arbitrary code.
(CVE-2022-0351)
It was discovered that Vim was not properly handling memory
allocation when processing data in Ex mode, which could result in a
heap buffer overflow. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code.
(CVE-2022-0359)
It was discovered that Vim was not properly performing bounds checks
when executing line operations in Visual mode, which could result in
a heap buffer overflow. An attacker could possibly use this issue to
cause a denial of service or execute arbitrary code.
(CVE-2022-0361, CVE-2022-0368)
It was discovered that Vim was not properly handling loop conditions
when looking for spell suggestions, which could result in a stack
buffer overflow. An attacker could possibly use this issue to cause
a denial of service or execute arbitrary code. (CVE-2022-0408)
It was discovered that Vim was incorrectly handling memory access
when executing buffer operations, which could result in the usage of
freed memory. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-0443)
SecureAuth unveils new end-to-end access and authentication solution
A new next-generation access and authentication platform powered by artificial intelligence was launched Wednesday by SecureAuth. The platform, Arculix, combines orchestration, passwordless technology and continuous authentication and can be deployed out of the box with any industry-standard identity provider as an end-to-end solution or as augmentation to an existing identity and access management (IAM) scheme.
The days of granting blanket trust after initial authentication are over, says SecureAuth CEO Paul Trulove. “If, after initial authentication, you never authenticate again, a bad actor could potentially run rampant in your system,” he tells CSO. “That’s why organizations are moving away from passwords as a mechanism for authentication and creating an initial level of trust and moving further along the maturity curve around authentication so they just don’t evaluate the level of trust at the outset of a transaction. They continually evaluate risk signals observed during a session to determine if something has changed and whether they need to reauthenticate.”
Why You Should Care About Fitness Tracker Security
Congratulations! You reached 10,000 steps today!
It’s a great feeling when a wearable fitness device vibrates to let you know when you hit the day’s fitness goal. The digital fireworks display that lights up your watch’s screen is a signal that you should keep on moving to challenge yourself more … or spend the rest of the day on the couch guilt-free.
While fitness wearable devices, trackers, and apps are excellent motivators for you, cybercriminals love them for their vulnerabilities and privacy loopholes. This doesn’t mean you have to chuck your expensive watch in the bin or delete your fitness apps from your smartphone. Awareness and smart habits go a long way in deterring cybercriminals. Keep reading to learn more about wearable technology vulnerabilities and how you can sidestep each.
Location Data
Many fitness tracker apps and wearables are equipped with GPS. At the end of a run or long walk, you can view your exact route, sometimes with detailed maps that show street and town names. This tracking feature was potentially dangerous back in 2018 when a fitness app released a heat map of all its users’ running routes for the year, which clearly outlined secret military bases.1
Even if you’re stationed in a suburb and not hostile territory, you may consider the risks of sharing your location data. A determined criminal who has time to spare can guess your address and see the times of days when you’re commonly out at the gym or on a run.
Personally Identifiable Information
When you purchase a wearable fitness device, you often have to pair it with an accompanying smartphone app to see your daily stats and tailor your fitness goals. Think about all the personally identifiable information (PII) that app now houses: your full name, password, address, height, weight, location, medical concerns, daily activity patterns, etc. In the hands of a cybercriminal, this information can bring a nefarious actor one step closer to impersonating you. Plus, if your health data makes it onto the dark web or is sold to health companies, it may result in serious privacy concerns.
Luckily, there are ways to get peace of mind about the security of your identity. Identity protection services, such as McAfee Identity Monitoring Service, provide expert identity theft support and up to $1 million in identity theft coverage.
Tips to Improve Your Fitness Tracker Security
Wearable devices complement any athleisure outfit and are a fun way to inspire athletic competition between a group of friends. Here are a few ways you can patch some of their security shortcomings:
Change the factory password settings.
When you first purchase any new device, fitness trackers included, your first step should always be to reset the factory password. Cybercriminals know that many people often skip this step, making it easy for them to walk right into new accounts. If you have a hard time remembering your passwords, consider entrusting them to a password manager to remember them for you. McAfee True Key makes it so that you only have to remember one master password to unlock the rest, and it’s protected by one of the strongest encryption algorithms available.
Make your account private.
This is a tip you should consider for all your social media accounts. When you post about your life online, you actually divulge a lot of personal details that are helpful to cybercriminals. In the case of fitness trackers and apps, sharing the times of day when you go to the gym, are at the local track, or are on a bike path may give a criminal an idea of windows during the day when your home is empty. It’s unsettling to think that strangers can track your whereabouts, so it’s best to keep those details exclusive to people you personally know and trust.
Turn off geolocation.
In the case of fitness trackers and apps, a savvy cybercriminal may be able take an educated guess at your address, with which they can do a myriad of nefarious activities. Some running and fitness apps may be able to still create maps of your running routes but erase street names and other landmarks to make it more private. But when in doubt, turn off geolocation.
Stay on Track
Fitness trackers are a fun way to stir up some friendly competition, keep connected with your fit friends, and motivate yourself to exercise and maintain healthy habits. While you’re shopping for a new device or when evaluating your current tracker, keep these tips in mind to enjoy this technology to its fullest.
The post Why You Should Care About Fitness Tracker Security appeared first on McAfee Blog.
10 Companies Chosen to Test Next-Generation Cybersecurity Technologies
10 companies will experiment on the Morello board as part of the government-backed DSbD initiative
4 reasons why CISOs can’t ignore climate change
Climate change may not be an issue synonymous with cybersecurity, but there is a growing need for the security sector to recognize and address the impact a changing climate is having. A new report from the World Meteorological Organization (WMO) stated that there is a 50% chance that, during the next five years, the global average surface temperature will exceed 1.5°C above the preindustrial average for the first time in an individual year.
Climate-related factors such as shifting weather patterns, resource availability, and mass migration could alter the cyberthreats organizations and governments face, introducing new or heightened risks in an already complex landscape.