CVE-2018-20803

A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4 versions prior to 3.4.19.
Source: NIST
CVE-2018-20803

US Police Make Arrest in $1m Airplane Scam

US Police Make Arrest in $1m Airplane Scam

Police in the United States have made an arrest in connection with a million-dollar cyber-scam involving the sale of an airplane in Australia. 



An investigation was launched in 2018 after a Business Email Compromise (BEC) attack interfered with digital communications between a company in New Zealand that was buying an airplane and a company in Australia that was selling it for $1,028,000. 



By infiltrating the emails of the two companies, cyber-scammers managed to replace the seller’s bank routing information with details of their own bank accounts in Houston, Texas. 



Using this ruse netted the attackers $928,000, paid in two separate transactions. 



The audacious theft sparked a two-and-a-half-year international criminal investigation that has already resulted in arrests and prosecutions. On November 18, that investigation led to the arrest of 36-year-old Cletus N. Anyanwu by Houston Police and the FBI.



Anyanwu was charged with first-degree felony of Engaging in Organized Criminal Activity, specifically money laundering of $300,000 or more. If convicted, he faces anywhere from 15 to 99 years behind bars in an unflattering orange jumpsuit. 



Harris County District Attorney Kim Ogg said that Anyanwu was the individual flying at the controls of the financial side of the BEC airplane scam.



Court documents present Anyanwu as a ringleader who organized hackers and bank accounts to receive the stolen funds from the bogus airplane sale that took place in May 2018. 



“Cyber fraud is among the fastest-growing crimes in the world,” said Ogg.



“Small business can be crushed, a government can be held hostage, or a corporation brought to a standstill all by hacking and fraud.  We are dedicated to helping victims by bringing cyber terrorists and thieves to justice.”



BEC scams caused the highest losses across all scam types in Australia in 2019, costing businesses $132m, according to the ACCC’s “Targeting Scams” report.



“We’re trying to stop all kinds of computer and email scams, including business scams like this. This company lost a million dollars, and that money is just gone,” said assistant Harris County district attorney Keith Houston, the prosecutor handling the case.


Source: Infosecurity
US Police Make Arrest in m Airplane Scam

CVE-2020-12352

Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
Source: NIST
CVE-2020-12352

CVE-2020-7928

A user authorized to perform database queries may trigger a read overrun and access arbitrary memory by issuing specially crafted queries. This issue affects: MongoDB Inc. MongoDB Server v4.5 versions prior to 4.5.1; v4.4 versions prior to 4.4.1; v4.2 versions prior to 4.2.9; v4.0 versions prior to 4.0.20; v3.6 versions prior to 3.6.20.
Source: NIST
CVE-2020-7928

CVE-2020-12351

Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
Source: NIST
CVE-2020-12351

CVE-2020-4854

IBM Spectrum Protect Plus 10.1.0 thorugh 10.1.6 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 190454.
Source: NIST
CVE-2020-4854

CVE-2020-0569

Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
Source: NIST
CVE-2020-0569

CVE-2019-14587

Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
Source: NIST
CVE-2019-14587

CVE-2019-14586

Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
Source: NIST
CVE-2019-14586

CVE-2020-4783

IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 189214.
Source: NIST
CVE-2020-4783