Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.π Read
via "Dark Reading".
π‘ Cybersecurity & Privacy news π‘
Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.An information disclosure flaw allows a malicious, authenticated, privileged web UI user to obtain a password for a remote SCP backup server that they might not otherwise be authorized to access. This affects SMG prior to 10.7.4.Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious projectA privilege escalation flaw allows a malicious, authenticated, privileged CLI user to escalate their privileges on the system and gain full control over the SMG appliance. This affects SMG prior to 10.7.4.AEM's Cloud Service offering, as well as versions 6.5.6.0 (and below), 6.4.8.2 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimΓ’β¬β’s browser when they browse to the page containing the vulnerable field.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.An information disclosure flaw allows a malicious, authenticated, privileged web UI user to obtain a password for a remote SCP backup server that they might not otherwise be authorized to access. This affects SMG prior to 10.7.4.Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious projectA privilege escalation flaw allows a malicious, authenticated, privileged CLI user to escalate their privileges on the system and gain full control over the SMG appliance. This affects SMG prior to 10.7.4.AEM's Cloud Service offering, as well as versions 6.5.6.0 (and below), 6.4.8.2 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimΓ’β¬β’s browser when they browse to the page containing the vulnerable field.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.An information disclosure flaw allows a malicious, authenticated, privileged web UI user to obtain a password for a remote SCP backup server that they might not otherwise be authorized to access. This affects SMG prior to 10.7.4.Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun.A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious projectA privilege escalation flaw allows a malicious, authenticated, privileged CLI user to escalate their privileges on the system and gain full control over the SMG appliance. This affects SMG prior to 10.7.4.AEM's Cloud Service offering, as well as versions 6.5.6.0 (and below), 6.4.8.2 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimΓ’β¬β’s browser when they browse to the page containing the vulnerable field.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.AEM's Cloud Service offering, as well as versions 6.5.6.0 (and below), 6.4.8.2 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimΓ’β¬β’s browser when they browse to the page containing the vulnerable field.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.AEM's Cloud Service offering, as well as versions 6.5.6.0 (and below), 6.4.8.2 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimΓ’β¬β’s browser when they browse to the page containing the vulnerable field.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.AEM's Cloud Service offering, as well as versions 6.5.6.0 (and below), 6.4.8.2 (and below) and 6.3.3.8 (and below) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimΓ’β¬β’s browser when they browse to the page containing the vulnerable field.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.Ransomware attacks targeting hospitals have exacted a human cost as well as financial.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.Coming to you from virtual backgrounds and beautifully curated bookcases around the world, Dark Reading brings you video interviews with the leading researchers speaking at this week's Black Hat Europe.Anton Chuvakin, head of solution strategy at Google Cloud Security, discusses common cloud security hurdles and how to get over them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.From eCommerce threats, to security concerns in connected speakers, Fortinet researchers discuss the top evolving threats of 2020, heading into the new year.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Latest episode - listen now, and please tell your friends about our podcast.Security teams are being challenged by the connected nature of IP devices, and preventing them from being compromised by cybercriminals has become an essential part of keeping people and property safe.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Attackers pressure victims into paying ransom by publishing and offering for sale data stolen in a campaign that dates back to January.A series of bugs, patched in September, still allow remote code execution by attackers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.Think like an attacker if you want to understand your attack surface, says security researcher at Black Hat Europe.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.Think like an attacker if you want to understand your attack surface, says security researcher at Black Hat Europe.Do-it-yourself apps that don't use the official API from Apple and Google raised privacy concerns due to unsecure design, says Guardsquare.Demands of the "new normal" won't stop the majority of poll-takers from mastering new skills.The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.The vulnerabilities in Counter Strike: Global Defensive, Dota2, and Half Life could have allowed hackers to crash the games and hijack computers, according to Check Point.Jack Wallen shows you how to install and configure fail2ban on the latest release of Fedora Linux.These phishing emails promise compensation, test results, and other lures about the coronavirus to trick unsuspecting users, says Armorblox.From Apple to Google to Toyota, companies across the world are pouring resources into developing AI systems with machine learning. This comprehensive guide explains what machine learning really means.Here's where enterprises encounter challenges with cloud IAM and the best practices they should follow to correct these mistakes.Learn about data security and the role it plays in many data protection solutions in Data Protection 101, our series on the fundamentals of data security.Threat actors accessed Pfizer vaccine documentation submitted to EU regulators in the latest cyberattack trying to profit off pandemic suffering. Β Some apps in the Google Play Store are impersonating legitimate apps and stealing users' money.Security company GreatHorn shared some of the latest ways cybercriminals are trying to take your money. Here's how to avoid them.Aftermath of the FireEye breach by Russia's foreign service agency raises concerns over what the attackers could do next - and how to defend against it.Fortinet's Aamir Lakhani discusses best practices for securing company data against next-gen threats, like edge access trojans (EATs).Cyberconflict is an unfortunate growing trend impacting businesses and governments. Learn the risks and possible solutions from an industry expert.Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.Of nearly 100 apps tested, 40% have significant security issues, using either GPS locations or bespoke Bluetooth proximity detection to determine exposure.Mirai botnet was used to target Sony in an attack that took down DynDNS and a number of its notable customers.In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is no check that the indices point to inside of the arrays they index into. Thus, this can result in accessing data out of bounds of the corresponding heap allocated arrays. In most scenarios, this can manifest as unitialized data access, but if the index points far away from the boundaries of the arrays this can be used to leak addresses from the library. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.Think like an attacker if you want to understand your attack surface, says security researcher at Black Hat Europe.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is needed for the tensor it creates. However, as soon as there are enough bytes, the above snippet causes a segmentation fault. This is because the allocator used to return the buffer data is not marked as returning an opaque handle since the needed virtual method is not overridden. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in the ksu user command to gain root privileges. IBM X-Force ID: 189960.iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DB_PREFIX parameter to install/install.php.The Γ’β¬˜sortΓ’β¬β’ parameter in the download page clientSetupAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.In TensorFlow release candidate versions 2.4.0rc*, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths but are not verified by the PRs introducing it (#40861 and #44310). Thus, we are completely rewriting the implementation to fully specify and validate these. This is patched in version 2.4.0. This issue only impacts master branch and the release candidates for TF version 2.4. The final release of the 2.4 release will be patched.In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 and 6.0.0.0 through 6.0.3.1 discloses sensitive information to an authenticated user from the dashboard UI which could be used in further attacks against the system. IBM X-Force ID: 172753.Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a weak password at the Operating System (rlx-linux) level. This allows an attacker to gain unauthorized access as an admin or root user to the device Operating System via Telnet or SSH.The member center function in fastadmin V1.0.0.20200506_beta is vulnerable to a Server-Side Template Injection (SST) vulnerability** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.A flaw was found in the Linux kernels implementation of MIDI (kernel 5.7-rc6), where an attacker with a local account and the permissions to issue an ioctl commands to midi devices, could trigger a use-after-free. A write to this specific memory while freed and before use could cause the flow of execution to change and possibly allow for memory corruption or privilege escalation.** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy."There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.Adobe Lightroom Classic version 10.0 (and earlier) for Windows is affected by an uncontrolled search path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.A CWE-754:Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M340 CPUs (BMXP34* versions prior to V3.30) Modicon M340 Communication Ethernet modules (BMXNOE0100 (H) versions prior to V3.4 BMXNOE0110 (H) versions prior to V6.6 BMXNOR0200H all versions), that could cause the device to be unreachable when modifying network parameters over SNMP.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.Information disclosure in Advanced Search component of GitLab EE starting from 8.4 results in exposure of search terms via Rails logs. This affects versions >=8.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.Unauthorized disclosure of sensitive information vulnerability in Micro Focus Filr product. Affecting all 3.x and 4.x versions. The vulnerability could be exploited to disclose unauthorized sensitive information.A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.