Security News > 2021

The action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML. Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the 'src' parameter. How would an attacker get the payload to fill the whole page? Well, as we demonstrated in our test, we can interact with the height and width properties of iframes using JavaScript.

The real value of multicloud is being lost because of the lack of understanding on how to best use the technology. Whereas a single cloud provider can provide a specific area of use for a company such as email or videoconferencing, multicloud allows businesses to pick and choose the services they need to optimize their workplace, ensuring that all the diverse needs of that business are met via a flexible infrastructure.

While the DMARC enforcement rate increases, 3 billion messages per day are still spoofing the sender's identity, Valimail reveals. DMARC protected domains: Key findings Three billion messages per day are spoofing the sender identity used in their "From" fields.

One of the vulnerabilities addressed by the latest update for Apache OFBiz is an unsafe Java deserialization issue that could be exploited to execute code remotely, without authentication. A Java-based web framework, Apache OFBiz is an open source enterprise resource planning system that includes a suite of applications to automate business processes within enterprise environments, and which can be used across any industry.

There are major gaps in API security based on insights from over 100 senior security leaders at large enterprises in the United States and Europe, an Imvision report reveals. With 9 out of 10 security leaders naming API security as a priority, survey results indicate a consensus among professionals that the shift to the cloud and expansive adoption of APIs have created a new layer of technology that requires dedicated attention.

The U.S. Cybersecurity and Infrastructure Security Agency has warned of critical security shortcomings in GE's Universal Relay family of power management devices. "Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition," the agency said in an advisory published on March 16.

Data breaches and network outages are a real and growing cost for the industry: 43% of respondents estimated the costs of data breaches would exceed $2 million and 34% said the same for network outages. The healthcare industry is a target: 52% of respondents suffered a data breach in the past year.

Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. "There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18.

Egress has announced enhancements to its reporting functionality, equipping customers with full visibility of their email security risk. Egress Analytics is available as part of Egress Prevent, Egress' flagship solution which utilizes contextual machine learning to mitigate the risk of human-activated email data breaches.

Baffle announced that its Data Protection Services are now available to enable data de-identification with customer-owned keys for Snowflake Data Cloud. Without any code changes or performance impact on the user experience, Snowflake customers can now leverage Baffle's transparent data protection layer to secure their entire data pipeline as source data is migrated to Snowflake and used for data analytics.