Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581PUBLISHED: 2021-03-05The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042PUBLISHED: 2021-03-05Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041PUBLISHED: 2021-03-05ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377PUBLISHED: 2021-03-05The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
User Rank: Apprentice
3/14/2014 | 1:01:57 PM
This development really highlights the growing difficulty of filtering the signal from the noise in an age of exponentially expanding volume of data. Its like many of us are falling in to the same trap that amateur website owners often do: If everything is in all caps, people will read everything because all caps means its important right? I would not be at all surprised if the same people that evaluated the alarm mentioned in the article were also monitoring alarms from countless workstations and who knows what else. Doesn't surprise me at all that this got lost in the shuflle. But it still terrifies me!
This also underscores the near uselessness of the PCI spec. It is not a something to use to avoid a breach, its something to use to reduce the chance of a lawsuit. "Hey! We were PCI compliant! Its not our fault!"