Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged.
The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module.
In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability.
The directory support feature allows the ...
CVE-2021-23901PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532PUBLISHED: 2021-01-25When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution.
The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512PUBLISHED: 2021-01-22Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
User Rank: Author
7/17/2018 | 3:02:32 PM
After spending a good part of this year watching our infrastructure engineers and security experts trying to come up with a solid mitigation plan that would not kill our SaaS platform immediately and seeing how our response strategy had to change more than a dozen times as the new and updated kernel patches and CPU microcodes were published and recalled, and new and updated attack vectors and vulnerabilities were discovered, it became literally impossible to keep track of our overall exposure and risks.
Not to mention our enterprise customers, who tried so hard to keep track on our patching progress for the first three months of the year, after which they gave up as the development of this crisis turned into an unmanageable nightmare.
In the end, similarly to how the industry seems to be getting used to the fact that data breaches are the new reality and the overwhelming amount of new incidents does not come out as a surprise anymore, we need to accept that the complexity of today's CPUs, together with the fact that the primary focus of the manufacturers was, is and will be the performance, means that there might be many additional hw-level security flaws to be discovered over the next months and years.
To me, the takeaway is very simple: security and privacy are ongoing end to end process and rather than relying on particular technology or safeguard, we need to continue looking on risks and mitigate them on all the levels, starting by collecting just the minimal data needed - and ending by continuously improving the layered security.