A flaw was found in the grub2-set-bootflag utility of grub2. A local attacker could run this utility under resource pressure (for example by setting RLIMIT), causing grub2 configuration files to be truncated and leaving the system unbootable on subsequent reboots.
Source: NIST
CVE-2019-14865
CVE-2019-19387 (fusionpbx)
A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.
Source: NIST
CVE-2019-19387 (fusionpbx)
CVE-2019-19388 (fusionpbx)
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.
Source: NIST
CVE-2019-19388 (fusionpbx)
CVE-2019-19384 (fusionpbx)
A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.
Source: NIST
CVE-2019-19384 (fusionpbx)
CVE-2019-19385 (fusionpbx)
A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter.
Source: NIST
CVE-2019-19385 (fusionpbx)
CVE-2019-19386 (fusionpbx)
A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.
Source: NIST
CVE-2019-19386 (fusionpbx)
CVE-2019-19375
In Octopus Deploy before 2019.10.7, in a configuration where SSL offloading is enabled, the CSRF cookie was sometimes sent without the secure attribute. (The fix for this was backported to LTS versions 2019.6.14 and 2019.9.8.)
Source: NIST
CVE-2019-19375
CVE-2019-19376
In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdit permission could send a malformed Team API request that bypasses input validation and causes an application level denial of service condition. (The fix for this was also backported to LTS 2019.9.8 and LTS 2019.6.14.)
Source: NIST
CVE-2019-19376
CVE-2019-19379
In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.
Source: NIST
CVE-2019-19379
Missed Security Targets Start to Trouble Senior Execs
Missed Security Targets Start to Trouble Senior Execs
Companies that fail to set their IT security teams targets that directly correlate with overall business performance are causing problems for their CEOs, according to new research from Thycotic.
The privileged access management solutions provider surveyed more than 100 UK IT security decision-makers, with 61% admitting that there are implications for the CEO if security teams are unable to meet targets set to them.
With regards to the types of consequences they can face, the respondents noted facing a hard time from shareholders (44%), longer hours spent at work (40%) and even more serious implications such as penalties including lost bonus payments (37%) and threats to job security (35%).
Of particular note though, Thycotic’s research discovered that, when asked to describe what success looks like to them, IT security teams felt that being valued by the company (45%) was of more importance than achieving targets set by the board (42%). That suggests that CEOs risk repercussions if they set targets that do not effectively inspire IT and security professionals in their work.
Joseph Carson, chief security scientist and advisory CISO at Thycotic said: “The data breach at TalkTalk ushered in a new era where CEOs can and will be held accountable for IT security failures that occur on their watch. Today, when cybersecurity teams do not meet their targets, it impacts the CEO with longer hours, shareholder pushback, job insecurity and bonus reductions.”
To minimize the risks, he added, CEOs need to set IT security professionals proactive measures and appropriate budgets that demonstrate the positive contribution they make to overall business performance.
“A good example is to appoint an IT security professional with good communication skills in charge of cross-departmental co-operation. This has the dual advantage of putting IT security on a more proactive footing and increasing the chances of spotting/remediating digital risks early before they can escalate and cause trouble at board level.”
Source: Infosecurity
Missed Security Targets Start to Trouble Senior Execs