Security News

Security researchers warn of three new zero-day vulnerabilities in the Kaseya Unitrends service and advise users not to expose the service to the Internet. Kaseya Unitrends is a cloud-based enterprise backup and disaster recovery solution that is offered as a stand-alone solution or as an add-on for the Kaseya VSA remote management platform.

If you wait until production to discover API vulnerabilities, you can incur substantial delays. Existing application security testing tools are generic and aim at traditional web app vulnerabilities, and can't effectively handle the business logic intricacies of an API. Because APIs don't have a UI, it is common for companies to test web, app, and mobile separately - but not the API itself.

One key way that cybercriminals compromise organizations and users is by exploiting known security vulnerabilities. Of course, one key way that organizations can protect themselves is by patching known security vulnerabilities.

Patches released this week by Dell for its OpenManage Enterprise product address multiple critical-severity vulnerabilities. A systems management and monitoring application, Dell OpenManage Enterprise provides administrators with a comprehensive view of Dell EMC servers, network switches, and storage in their environment.

Security updates released by Adobe on Tuesday for seven of its products patch a total of 21 vulnerabilities, including 15 flaws that have been assigned a critical severity rating. Seven vulnerabilities have been addressed in Adobe After Effects for Windows and macOS. Five of them can allow arbitrary code execution and they have been rated critical, but it's worth noting that they are actually high-severity issues based on their CVSS score.

Cisco's Talos threat intelligence and research unit has disclosed the details of several critical vulnerabilities affecting a router monitoring application made by Taiwan-based industrial and IoT solutions provider Advantech. The affected tool is R-SeeNet, which is designed to help network administrators monitor their Advantech routers.

D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router. The CVE-2021-21818 and CVE-2021-21820 hard-coded password and credentials vulnerabilities [1, 2] exist in the router's Zebra IP Routing Manager and the Libcli Test Environment functionality.

Researchers discovered two vulnerabilities in Etherpad, an open-source collaborative real-time editor that allows multiple authors to simultaneously edit a text document. The second flaw is an argument injection vulnerability that allows an attacker to execute arbitrary code and system commands to fully compromise the Etherpad instance and its data.

Industrial automation solutions provider MDT Software has patched several critical and high-severity vulnerabilities in its flagship product, MDT AutoSave. MDT AutoSave is an automation change management solution that provides backup, version control, historical tracking, user permission, audit trail, change detection, and disaster recovery capabilities for a wider range of industrial control systems, including PLC, CNC, SCADA, HMI, robots, drives, and welders.

Lenovo this week published information on three vulnerabilities that impact the BIOS of two of its desktop products and approximately 60 laptop and notebook models. Tracked as CVE-2021-3452 and affecting tens of ThinkPad models, the first of the bugs impacts the system shutdown SMI callback function and could be abused by a local attacker that already has elevated privileges on the device to execute arbitrary code.