Archive for November, 2021

CVE-2021-36328 (emc_streaming_data_platform)

Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.
Source: NIST
CVE-2021-36328 (emc_streaming_data_platform)

CVE-2021-36330

Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.
Source: NIST
CVE-2021-36330

CVE-2021-36329

Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.
Source: NIST
CVE-2021-36329

CVE-2021-41256

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.
Source: NIST
CVE-2021-41256

CVE-2021-36326 (emc_streaming_data_platform)

Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format.
Source: NIST
CVE-2021-36326 (emc_streaming_data_platform)

CVE-2021-36327 (emc_streaming_data_platform)

Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker’s choice.
Source: NIST
CVE-2021-36327 (emc_streaming_data_platform)

Business School Dean Guilty of Data Conspiracy

Business School Dean Guilty of Data Conspiracy

The former dean of a business school in Philadelphia has been found guilty of involvement in a fraudulent scheme to doctor program rankings using false data.


Moshe Porat, of Bala Cynwyd, Pennsylvania, was dean of Temple University’s Richard J. Fox School of Business and Management for more than two decades, from 1996 until 2018.


On Monday, a jury found 74-year-old Porat guilty of scheming to deceive the school’s applicants, students, and donors into believing that the school offered top-ranked business degree programs so that they would pay tuition and make donations to Temple.


“This case was certainly unusual, but at its foundation it is just a case of fraud and underlying greed,” said US Attorney Jennifer Arbittier Williams.


From 2014 to 2018, Porat colluded with Fox professor Isaac Gottlieb and a Fox employee named Marjorie O’Neill to give false data to US News & World Report about the school’s online MBA (OMBA) and part-time MBA (PMBA) programs.


Among other things, the conspirators lied about the number of Fox’s OMBA and PMBA students who had taken the Graduate Management Admission Test, the average work experience of Fox’s PMBA students, and the percentage of students who were enrolled part-time.


Based on the false data, US News ranked Fox’s OMBA program number one in the country four years in a row (2015–2018) and upped the school’s PMBA program ranking from 53 in 2014, 20 in 2015, 16 in 2016 and 7 in 2017.


“Porat boasted about these rankings in marketing materials directed at potential Fox students and donors. Enrollment in Fox’s OMBA and PMBA programs grew dramatically in a few short years, which led to millions of dollars a year in increased tuition revenues,” said the US Attorney’s Office for the Eastern District of Pennsylvania. 


In April, Porat was charged with one count of conspiracy to commit wire fraud and one count of wire fraud. He was convicted of both counts on Monday. Porat now faces a fine of $500K and a maximum custodial sentence of 25 years.


Gottlieb and O’Neill are each charged with one count of conspiracy to commit wire fraud. 


Stephen Orbanek, a university spokesperson, said in a statement to The Temple News: “The evidence presented at the trial speaks for itself but is not representative of Temple or the overwhelming majority of the thousands of educational professionals serving our students.”



Source: Infosecurity
Business School Dean Guilty of Data Conspiracy

CVE-2021-43320

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-41244. Reason: This candidate is a reservation duplicate of CVE-2021-41244. Notes: All CVE users should reference CVE-2021-41244 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Source: NIST
CVE-2021-43320

CVE-2021-4026 (bookstack)

bookstack is vulnerable to Improper Access Control
Source: NIST
CVE-2021-4026 (bookstack)

CVE-2021-42564 (cryptshare_server)

An open redirect through HTML injection in confidential messages in Cryptshare before 5.1.0 allows remote attackers (with permission to provide confidential messages via Cryptshare) to redirect targeted victims to any URL via the ‘<meta http-equiv=”refresh”‘ substring in the editor parameter.
Source: NIST
CVE-2021-42564 (cryptshare_server)