Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25878PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.
This vulnerability can occur in multiple ways:
1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
CVE-2021-27780PUBLISHED: 2022-05-27The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
CVE-2021-27781PUBLISHED: 2022-05-27The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
CVE-2022-1897PUBLISHED: 2022-05-27Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-20666PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
These vulnerabilities are due to insufficient va...
User Rank: Ninja
10/26/2016 | 9:14:33 AM
Email doesn't work that way...and from time to time you're going to get unfamiliar senders (and, therefore, non-whitelisted senders) who are sending legitimate email.
Of course, all of these emails could be "authenticated," but then what if someone who has authentication via a certificate authority then decides to become a bad actor?
The easy rebuttal to this is that, "Well, that's okay, because we'll have their identity -- and can thereby revoke their authentication."
But then that gets us down the data-privacy rabbit hole.
It's one thing for online retailers and other sellers / companies to authenticate themselves publicly. It's another thing to ask people to authenticate themselves for private communication.
Or what am I missing here?