Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21394PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497PUBLISHED: 2021-04-12Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
CVE-2021-3163PUBLISHED: 2021-04-12A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.
CVE-2019-15059PUBLISHED: 2021-04-12In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.
CVE-2021-21524PUBLISHED: 2021-04-12
Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Cr...
User Rank: Apprentice
11/12/2014 | 4:25:47 PM
Mr. Bryant
I'd first like to establish what we are talking about in terms of maturity, audit vs assessment, etc.
The intent of how we understand a client's maturity is NOT what we would call an audit. That implies there is a checklist, and then you could pass or fail. An audit also implies the behavior you site of "managing to the audit" versus "becoming more secure" (like the grade inflation we have experienced in US schools). We are suggesting an assessment(s) of current state against a backdrop of maturity and capability (take another look at the table).
Maturity is loosely tied to CMMI in a sense that it has been an industry-accepted term/framework for some time. It is intuitive to think about current state of security maturity and capability in terms of "reactive, compliant, proactive, optimizing", but you could really use any version of this to achieve what we are suggesting. I have seen other maturity models that reference levels of capability versus state (i.e. No capability, Some capability, etc.). We are NOT suggesting a CMMI "roll out".
I've expanded on some of these concepts in my recent Dark Reading for Intel Security Perspectives blog - please read "What We Mean by Maturity Models for Security" for additional clarity.