CVE-2020-17463 (fuel_cms)

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
Source: NIST
CVE-2020-17463 (fuel_cms)

CVE-2020-16087

An issue was discovered in Zalo.exe in VNG Zalo Desktop 19.8.1.0. An attacker can run arbitrary commands on a remote Windows machine running the Zalo client by sending the user of the device a crafted file.
Source: NIST
CVE-2020-16087

CVE-2020-13282

For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.
Source: NIST
CVE-2020-13282

CVE-2020-13280

For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.
Source: NIST
CVE-2020-13280

CVE-2019-16374

Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
Source: NIST
CVE-2019-16374

CVE-2020-13283

For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issues list via milestone title.
Source: NIST
CVE-2020-13283

Phishing Tactic Targets Verizon Users' Credentials

Phishing Tactic Targets Verizon Users’ Credentials

A new phishing tactic which targets Verizon customers to steal user credentials, passwords and personal details has been detected.


According to research by Armorblox, the email resembles a secure message from Verizon Support and is titled “Your attention is urgently required”. When the recipient clicked the link, they were led to a Verizon lookalike website (through a redirection) which asked them to part with their email, Verizon account password, email account password and phone number.


Speaking to Infosecurity, Arjun Sambamoorthy, co-founder and head of engineering at Armorblox, said by collecting the target’s credentials, the attackers are phishing for personal details, and allowing more emails to be sent from the victim’s domain which would appear to be legitimate. He also said successful access to the victim’s account would also allow access to details of any other users of the Verizon service.


Sambamoorthy also said the emails got through as they didn’t follow the traits of more traditional phishing attacks. In one case it used a Wicca follower page named “Black Sun Coven” as the parent domain. Sambamoorthy explained that domain was registered in August 2019 and used for the phishing attack 11 month later.


“Assuming the website being discussed here is legitimate, the attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host phishing pages on the legitimate parent domain without the website admins knowing about it,” he said.


Sambamoorthy said “a handful of users” had been impacted, and the attack was still under investigation, while he had seen similar tactics used for other services.


“We have seen variants of this attack,” he said. “Attackers do this to hijack the trust associated with these brands, induce urgency in their victims (e.g. Your Amazon delivery address is incorrect, There’s a billing failure on your Netflix account), and in some cases to circumvent any company SSO rules that might be in place.”


As for the use of the Wicca follower page, Sambamoorthy said it was increasingly seeing attackers host phishing pages on dummy sites or on orphaned pages of legitimate websites. “They’re able to do this by exploiting vulnerabilities in the web servers or CMS without website admins knowing about it. Based on our initial research, Black Sun Coven was most likely a dummy site the attackers created. The site didn’t have any contact information and online searches for “Black Sun Coven” yielded unrelated results to the site in question.”


Source: Infosecurity
Phishing Tactic Targets Verizon Users’ Credentials

CVE-2020-4589 (websphere_application_server)

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. The vulnerability only occurs if an undocumented customization has been applied by an administrator. IBM X-Force ID: 184585.
Source: NIST
CVE-2020-4589 (websphere_application_server)

CVE-2019-4582 (maximo_asset_management)

IBM Maximo Asset Management 7.6.0 and 7.6.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 167288.
Source: NIST
CVE-2019-4582 (maximo_asset_management)

IT Pros Name Misconfiguration #1 Cloud Security Threat

IT Pros Name Misconfiguration #1 Cloud Security Threat

Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals by Check Point.


The security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.


Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.


The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%). 


These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.


This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organizations are using two or more public cloud providers — adding to the complexity.


Other top barriers included budget constraints (46%), data privacy issues (37%), and a lack of integration with on-premises security (36%).


The number of organizations struggling with existing security tools also rose from last year, from 66% to 82% — indicating that many may still be trying to apply on-premises technologies to cloud environments.


The good news is that despite the current macroeconomic climate, 59% of organizations expect their cloud security budget to increase over the next 12 months, with respondents on average allocating 27% of their security budget to cloud security.


“The report shows that organizations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes,” said TJ Gonen, head of cloud product line at Check Point. 


“To close these security gaps, enterprises need to get holistic visibility across all of their public cloud environments, and deploy unified, automated cloud-native protections, compliance enforcement and event analysis.”


Cloud security posture management (CSPM) tools are widely viewed as a best practice way to help mitigate the risk of misconfigurations. One provider, Trend Micro, claims that its Cloud One- Conformity product detects 230 million of these errors every single day.


Source: Infosecurity
IT Pros Name Misconfiguration #1 Cloud Security Threat