Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27581PUBLISHED: 2021-03-05The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042PUBLISHED: 2021-03-05Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041PUBLISHED: 2021-03-05ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377PUBLISHED: 2021-03-05The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420PUBLISHED: 2021-03-05A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
User Rank: Ninja
3/20/2016 | 3:49:33 PM
A few months ago, I was asked to interview for a CISO position at a global mid-size enterprise.
For starters, the pay was below industry average. Not too bad...except for the fact that, (1) the "requirements" in the job posting represented fanciful thinking -- even for industry standard -- and (2) as far as I could tell, the company's data protection policies were virtually nil outside of far-too-often mandated password changes. (Meanwhile, the physical security was woeful.) The person this company eventually hires will have to build everything pretty much from scratch.
What's more, the position was more of a "CISO-plus" role -- combining the roles of the CISO, the CCO, and the CPO. Additionally, the job had three bosses -- but with no real budget for the department/goals of the role.
They still haven't filled the role -- and they've recently reposted the identical job posting except with a less impressive job title (apparently to try to disguise the fact that the pay is below average).
So, there's that.