Archive for the ‘Uncategorized’ Category

CVE-2020-8793

OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.
Source: NIST
CVE-2020-8793

CVE-2020-8794

OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.
Source: NIST
CVE-2020-8794

CVE-2020-9017

LiteCart through 2.2.1 allows CSV injection via a customer’s profile.
Source: NIST
CVE-2020-9017

CVE-2020-9334

A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
Source: NIST
CVE-2020-9334

CVE-2020-9335

Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users.
Source: NIST
CVE-2020-9335

CVE-2019-12863

SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen.
Source: NIST
CVE-2019-12863

#RSAC: 10 Reasons Why a Cybersecurity Career is Beneficial to Personal and Professional Development

#RSAC: 10 Reasons Why a Cybersecurity Career is Beneficial to Personal and Professional Development

While there is increased stress in cybersecurity and “good days and bad days,” we should also focus on the “tremendous positives” in the industry’s achievements.



Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Phil Venables, board director and senior advisor for risk and cybersecurity at Goldman Sachs Bank, said that despite the challenges, there are 10 reasons to want to stay in the cybersecurity industry:



  • You get to be involved in pretty much every part of everything your organization does with natural focus on the customer
  • You need a range of skills not always found in other roles – which are individually portable and collectively indispensable
  • You get to take both broad and deep tech and business perspectives and rapidly learn the interplay between them – up and down the organization
  • You get earlier career exposure to senior people, inside and outside, and you become ultimately entwined with the core processes of your organization
  • You learn how to spot the failure modes of anything
  • You have fascinating and quickly evolving adversaries and, as a result, you are constantly learning and developing
  • You have amazing personal resilience, and an innate long-term optimism that things will keep getting better, perhaps because of your implicit short-term pessimism
  • You have a higher purpose. You are defending the flow of ideas/innovation that are essential to human progress – adding value to society – protecting people’s information and livelihoods (and sometimes lives)
  • You are usually good with incremental approaches, handling complexity and taking a systems-wide view
  • You are part of an amazing community


He also said that “until you’ve stepped out of security into another risk, IT or business role, you don’t realize how unique our camaraderie is.”



Venables added that a career in cybersecurity can give you a certain resilience, as there are good and bad days, but this can lead you to take “incremental approaches” to let you work organically through an environment.



“You also build a range of skills, as you have got to be a risk professional, a business product specialist, a security technician, a buyer, a sales person, an influencer, you have got to understand organizational strategy – you get to experience all of these things.”



Venables also said that cybersecurity professionals are involved in something that is “tremendously important to the organization, as we protect the flow of ideas, capital, innovation – they are essential.”



He concluded by saying he hadn’t acknowledged the benefits of the camaraderie until he stepped away from being a CISO to a more mainstream role, and he missed the sharing and education side of the industry. “When you’ve had a bad day, there is a community there supporting and sharing issues.



“We’re working in a fantastic time as we’re always thinking forward about all of the difficulties and all of the things to overcome, and what the next threat is going to be, but look back over the past few decades and what has actually been achieved to defend our organizations and our communities,” he said. “There has been failures, but there’s also been successes.”


Source: Infosecurity
#RSAC: 10 Reasons Why a Cybersecurity Career is Beneficial to Personal and Professional Development

CVE-2020-9383

An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
Source: NIST
CVE-2020-9383

CVE-2019-5165

An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attacker can send authenticated SNMP requests to trigger this vulnerability.
Source: NIST
CVE-2019-5165

CVE-2019-5162

An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as that user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
Source: NIST
CVE-2019-5162