This article is contributed. See the original author and article here.
The end of #DevDecember is near, and we’re ready to kick off 2021. To help you mark the transition and start anew, we’ve created digital New Year postcards in three designs that you can adapt and share with fellow devs, friends, and family. Download the New Year cards on our #DevDecember homepage.
Before we hit send, let’s take one more look in the rearview mirror.
Each week, we asked for your #DevDecember thoughts, starting with the ways you grew this year as developer, and moving on to what communities had your back, what inspired you, and what projects and challenges you were most looking forward to in 2021.Check out what fellow devs shared.
Week 1: What helped us growprofessionally
Beginner’s series to JavaScript
Taking your first steps toward mastering a new programming language is exciting, but it can also feel overwhelming. To help you get started with JavaScript, we’ve created short and easy-to-consume videos that break down the key concepts you need to know.
Want to grow your professional IoT skills? Your first stop may be the garden. Get your hands dirty with a workshop on how to build an internet-connected device to gather soil moisture data that will tell you (by lighting up an LED) if a plant needs watering.
Bringing browser developer tools to Visual Studio Code
One of our favorite releases in 2020 was the Microsoft Edge Tools for VS Code extension, designed to simplify workflows. Connect to an existing browser instance, start a new one, or use a “headless” browser.
@JoeCamp13 built an app to track inventory entirely with Power Apps. His explanation of how he did it, is illustrated with screenshots so you can follow along.
Learn from the best on Twitch! Watch devs code live, and connect and ask questions in real time. Find out how joining Microsoft’s virtual community can speed up learning new skills and languages. Watch an intro video on Twitch and live coding (25 min)
The ReadMe Project
Behind the open-source code used by millions of people are the unseen efforts of countless contributors, who put in long hours to build software, fix issues, and more. Meet some of the people making contributions, including veterans who find the teamwork required for open-source collaboration a natural fit.
Remote collaboration with Live Share in Visual Studio Code
With Live Share, you can instantly share your project with fellow developers. No need to clone a repo or set up the environment. It’s a one-stop, real-time collaboration tool for pairing, code reviews, technical interviews, boot camps, and more.
Cooking up code is a bit like developing food recipes. The more people who test your recipe, the more it’s likely to guarantee that what lands on your plate is what you intended.
With everyone at home, dishes pile up faster, garbage accumulates, and chores must be done more frequently. To keep track in real time what chores need to be completed and by when, Scott Hanselman built an IoT solution, using sensors, a web-based heatmap, and notifications.
Taking your mind off what you’re working on is sometimes the best way to get inspiration. The Developer Activity Book features family-friendly fun, including seven coloring pages, a crossword puzzle, a word search, and a logic puzzle.
The Imagine Cup World Championship encourages students across the globe to innovate using Microsoft Azure. Finalist teams created technological solutions to tackle pressing global issues. Get inspired by their passion and the incredible projects they created.
Most of the plastic that ends up in the oceans comes from inland sources. In this episode of CodeStories, Seth Juarez shows how developers can use AI to address this problem by monitoring microplastic and tracking ocean-bound plastic waste.
In 2020, we launched the Microsoft Learn Student Ambassadors program, where students can join a global community of peers, connect with mentors, learn the skills they need to land a dream job, and make a difference. Applications are open year-round, and we will accept hundreds more Student Ambassadors in 2021. Learn more about the program
Speed up development
What does it take to go from idea to development without detours? Best-in-class tools and product management are two of the things that boost velocity, a new McKinsey report found. Find out how to get stuff done faster in 2021 with this and other real-world strategies.
Intimidated by the idea of learning a new programming language? We’ve got a few ways to make it easier so 2021 is the year you make it happen. Download Visual Studio Code, then dive into tutorials and other resources that you can go through at your own pace.
Predicting meteor showers using Python and VS Code
Shooting for the moon in 2021? This session may provide inspiration. Dr G explains what meteor showers are and how data science is used to predict these events. No coding experience required.
Finally, before we raise a glass, cup, or mug to 2021, we’d like to thank all of you who have shared#DevWithABev pictures during the month. We’ve discovered a few new beverages and flavors to sip.
Here’s to new projects and new adventures! Happy New Year!
This article is contributed. See the original author and article here.
abb — symphony_+_historian
In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as.
Vulnerabilities in the S+ Operations and S+ Historian web applications can lead to a possible code execution and privilege escalation, redirect the user somewhere else or download unwanted data.
An authenticated user might execute malicious code under the user context and take control of the system. S+ Operations or S+ Historian database is affected by multiple vulnerabilities such as the possibility to allow remote authenticated users to gain high privileges.
In the Pulsar manager 0.1.0 version, malicious users will be able to bypass pulsar-manager’s admin, permission verification mechanism by constructing special URLs, thereby accessing any HTTP API.
If Apache TomEE 8.0.0-M1 – 8.0.3, 7.1.0 – 7.1.3, 7.0.0-M1 – 7.0.8, 1.0.0 – 1.7.5 is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case.
Affected versions of Atlassian Crucible allow remote attackers to impact the application’s availability via a Denial of Service (DoS) vulnerability in the file upload request feature of code reviews. The affected versions are before version 4.7.4, and from version 4.8.0 before 4.8.5.
An issue was discovered in Programi Bilanc build 007 release 014 31.01.2020 and possibly below. It relies on broken encryption with a weak and guessable static encryption key.
Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including the website, update server, and external issue tracking tools.
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. Lack of authentication functionality allows an attacker to assign a static IP address that was once used by a valid user.
An issue was discovered on D-Link DSL-2888A devices with firmware prior to AU_2.31_V1.1.47ae55. An unauthenticated attacker could bypass authentication to access authenticated pages and functionality.
DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. 2) The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack. This has been fixed in version 1.58.2.
EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user’s account.
Cross Site Scripting (XSS) vulnerability via the ‘Full Name’ parameter in the User Registration section of User Registration & Login System with Admin Panel 1.0.
Emerson Rosemount X-STREAM Gas AnalyzerX-STREAM enhanced XEGP, XEGK, XEFD, XEXF – all revisions, The affected products are vulnerable to improper authentication for accessing log and backup data, which could allow an attacker with a specially crafted URL to obtain access to sensitive information.
A use-after-free vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger the reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
A type confusion vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger an improper use of an object, resulting in memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. There is a WebView SSL error-handler vulnerability. The LG ID is LVE-SMP-200026 (December 2020).
An issue was discovered on LG mobile devices with Android OS 10 software. When a dual-screen configuration is supported, the device does not lock upon disconnection of a call with the cover closed. The LG ID is LVE-SMP-200027 (December 2020).
HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to obtain information about the XPages software running on the Domino server.
HCL Verse v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim’s web browser within the security context of the hosting Web site and/or steal the victim’s cookie-based authentication credentials.
HCL iNotes is susceptible to a Tabnabbing vulnerability caused by improper sanitization of message content. A remote unauthenticated attacker could use this vulnerability to trick the end user into entering sensitive information such as credentials, e.g. as part of a phishing attack.
HCL iNotes v9, v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim’s web browser within the security context of the hosting Web site and/or steal the victim’s cookie-based authentication credentials.
A vulnerability in the input parameter handling of HCL Client Application Access v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user.
A potential security vulnerability has been identified in the HPE StoreEver MSL2024 Tape Library and HPE StoreEver 1/8 G2 Tape Autoloaders. The vulnerability could be remotely exploited to allow Cross-site Request Forgery (CSRF).
IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.6 could allow an authenticated user to obtain sensitive information or cuase a denial of service due to iimproper authorization checking. IBM X-Force ID: 189445.
IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 183328.
IBM Planning Analytics 2.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 188898.
IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 190045.
IBM Security Secret Server 10.6 stores potentially sensitive information in config files that could be read by an authenticated user. IBM X-Force ID: 190048.
IBM Security Secret Server 10.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190046.
IBM Security Secret Server 10.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 190044.
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product.
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product.
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. In Jupyter Server before version 1.1.1, an open redirect vulnerability could cause the jupyter server to redirect the browser to a different malicious website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may *appear* safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8. This is fixed in jupyter_server 1.1.1. If upgrade is not available, a workaround can be to run your server on a url prefix: “jupyter server –ServerApp.base_url=/jupyter/”.
An information disclosure vulnerability exists in the Web Manager and telnet CLI functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause information disclosure. An attacker can sniff the network to trigger this vulnerability.
An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.
An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a “bureaucrat user” who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
In MediaWiki before 1.35.1, the combination of Html::rawElement and Message::text leads to XSS because the definition of MediaWiki:recentchanges-legend-watchlistexpiry can be changed onwiki so that the output is raw HTML.
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don’t exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.
MediaWiki before 1.35.1 blocks legitimate attempts to hide log entries in some situations. If one sets MediaWiki:Mainpage to Special:MyLanguage/Main Page, visits a log entry on Special:Log, and toggles the “Change visibility of selected log entries” checkbox (or a tags checkbox) next to it, there is a redirection to the main page’s action=historysubmit (instead of the desired behavior in which a revision-deletion form appears).
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use MediaWikiShellShell::command within a comment.
** DISPUTED ** In Solstice Pod before 3.0.3, the firmware can easily be decompiled/disassembled. The decompiled/disassembled files contain non-obfuscated code. NOTE: it is unclear whether lack of obfuscation is directly associated with a negative impact, or instead only facilitates an attack technique.
In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate user’s network traffic could record and monitor their interactions with the web services and obtain any information the user supplies, including Administrator passwords and screen keys.
In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities.
In Solstice Pod before 3.3.0 (or Open4.3), the Administrator password can be enumerated using brute-force attacks via the /Config/service/initModel?password= Solstice Open Control API because there is no complexity requirement (e.g., it might be all digits or all lowercase letters).
MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request.
The Bluetooth handset of Mitel MiVoice 6873i, 6930, and 6940 SIP phones with firmware before 5.1.0.SP6 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.
The chat window of Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.11 and 7.x before 7.0.3 could allow an attacker to gain access to user information by sending arbitrary code, due to improper input validation. A successful exploit could allow an attacker to view the user information and application data.
The online help portal of Mitel MiCollab before 9.2 could allow an attacker to redirect a user to an unauthorized website by executing malicious script due to insufficient access control.
The Bluetooth handset of Mitel MiVoice 6940 and 6930 MiNet phones with firmware before 1.5.3 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session and hijack it by stealing the user’s cookies.
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower stores and transmits the credentials of third-party services in cleartext.
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows sensitive information to be displayed without proper authorization.
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication.
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has improper privilege management, which may allow an attacker with user privileges to perform requests with administrative privileges.
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to modify translated terms, which may lead to arbitrary content modification on translatable elements.
Improper access control in mail module (followers) in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier, allows remote authenticated users to obtain access to messages posted on business records there were not given access to, and subscribe to receive future messages.
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.
Improper access control in mail module (channel partners) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to subscribe to arbitrary mail channels uninvited.
Improper input validation in portal component in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier, allows remote attackers to trick victims into modifying their account via crafted links, leading to privilege escalation.
Cross-site scripting (XSS) issue in attachment management in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via a crafted link.
Cross-site scripting (XSS) issue in “document” module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.
A arbitrary code execution vulnerability exists in the way that the Stove client improperly validates input value. An attacker could execute arbitrary code when the user access to crafted web page. This issue affects: Smilegate STOVE Client 0.0.4.72.
Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. In Open Zaak before version 1.3.3 the Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open – every client is allowed. This allows evil.com to run scripts that perform AJAX calls to known Open Zaak installations, and the browser will not block these. This was intended to only apply to development machines running on localhost/127.0.0.1. Open Zaak 1.3.3 disables CORS by default, while it can be opted-in through environment variables. The vulnerability does not actually seem exploitable because: a) The session cookie has a `Same-Site: Lax` policy which prevents it from being sent along in Cross-Origin requests. b) All pages that give access to (production) data are login-protected c) `Access-Control-Allow-Credentials` is set to `false` d) CSRF checks probably block the remote origin, since they’re not explicitly added to the trusted allowlist.
URLs using “javascript:” have the protocol removed when pasted into the address bar to protect users from cross-site scripting (XSS) attacks, but in certain circumstances this removal was not performed. This could allow users to be socially engineered to run an XSS attack against themselves. This vulnerability affects Opera for Android versions below 61.0.3076.56532.
Vulnerability in the Oracle Cloud Infrastructure Identity and Access Management product of Oracle Cloud Services. Easily exploitable vulnerability allows high privileged attacker with network access to compromise Oracle Cloud Infrastructure Identity and Access Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Cloud Infrastructure Identity and Access Management accessible data as well as unauthorized read access to a subset of Oracle Cloud Infrastructure Identity and Access Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Cloud Infrastructure Identity and Access Management. All affected customers were notified of CVE-2020-14874 by Oracle. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users’ personal information, including name, email and public SSH key.
Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue’s hub and it will stop responding. The “hub” will stop operating and be frozen until the flood stops. During the flood, the user won’t be able to turn on/off the lights, and all of the hub’s functionality will be unresponsive. The cloud service also won’t work with the hub.
Marital – Online Matrimonial Project In PHP version 1.0 suffers from an authenticated file upload vulnerability allowing remote attackers to gain remote code execution (RCE) on the Hosting web server via uploading a maliciously crafted PHP file.
async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body. One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request. Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients’ requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user’s request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary. This has been addressed in async-h1 2.3.0 and previous versions have been yanked.
Host Header Injection in Spiceworks 7.5.7.0 allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
Steedos Platform through 1.21.24 allows NoSQL injection because the /api/collection/findone implementation in server/packages/steedos_base.js mishandles req.body validation, as demonstrated by MongoDB operator attacks such as an X-User-Id[$ne]=1 value.
tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=%URL%&config=%CONFIG% API endpoint that accepts an arbitrary %URL% value and launches a GET request for it, but does not consider that the external request target may indirectly redirect back to this original /sub endpoint. Thus, a request loop and a denial of service may occur.
tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser (client-side) and can be circumvented. This allows an attacker to upload any file as an attachment to a workitem.
In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users.
Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp.
In tangro Business Workflow before 1.18.1, a user’s profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibited server-side.
An issue was discovered in tangro Business Workflow before 1.18.1. No (or broken) access control checks exist on the /api/document/<DocumentID>/attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to gather valid attachment IDs for workitems that do not belong to them.
In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.
An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required.
In certain scenarios in Tenable.sc prior to 5.17.0, a scanner could potentially be used outside the user’s defined scan zone without a particular zone being specified within the Automatic Distribution configuration.
ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen.
tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn’t start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the DHCPv6 client component allows an unauthenticated remote attacker to cause an Out of Bounds Read, and possibly a Denial of Service via adjacent network access.
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via network access.
Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 allows authenticated remote attackers to inject arbitrary web script or HTML via the search_key GET Parameter in TinCan_Content_List_Table.php, message GET Parameter in licensing.php, tc_filter_group parameter in reporting-admin-menu.php, tc_filter_user parameter in reporting-admin-menu.php, tc_filter_course parameter in reporting-admin-menu.php, tc_filter_lesson parameter in reporting-admin-menu.php, tc_filter_module parameter in reporting-admin-menu.php, tc_filter_action parameter in reporting-admin-menu.php, tc_filter_data_range parameter in reporting-admin-menu.php, or tc_filter_data_range_last parameter in reporting-admin-menu.php.
Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Groups for LearnDash before v3.7 allow authenticated remote attackers to inject arbitrary JavaScript or HTML via the ulgm_code_redeem POST Parameter in user-code-redemption.php, the ulgm_user_first POST Parameter in user-registration-form.php, the ulgm_user_last POST Parameter in user-registration-form.php, the ulgm_user_email POST Parameter in user-registration-form.php, the ulgm_code_registration POST Parameter in user-registration-form.php, the ulgm_terms_conditions POST Parameter in user-registration-form.php, the _ulgm_total_seats POST Parameter in frontend-uo_groups_buy_courses.php, the uncanny_group_signup_user_first POST Parameter in group-registration-form.php, the uncanny_group_signup_user_last POST Parameter in group-registration-form.php, the uncanny_group_signup_user_login POST Parameter in group-registration-form.php, the uncanny_group_signup_user_email POST Parameter in group-registration-form.php, the success-invited GET Parameter in frontend-uo_groups.php, the bulk-errors GET Parameter in frontend-uo_groups.php, or the message GET Parameter in frontend-uo_groups.php.
An issue was discovered in URVE Build 24.03.2020. The password of an integration user account (used for the connection of the MS Office 365 Integration Service) is stored in cleartext in configuration files as well as in the database. The following files contain the password in cleartext: Profiles/urve/files/sql_db.backup, Server/data/pg_wal/000000010000000A000000DD, Server/data/base/16384/18617, and Server/data/base/17202/8708746. This causes the password to be displayed as cleartext in the HTML code as roomsreservationimport_password in /urve/roomsreservationimport/roomsreservationimport/update-HTML5.
A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter ‘section’.
ZTE E8810/E8820/E8822 series routers have an MQTT DoS vulnerability, which is caused by the failure of the device to verify the validity of abnormal messages. A remote attacker could connect to the MQTT server and send an MQTT exception message to the specified device, which will cause the device to deny service. This affects:<ZXHN E8810, ZXHN E8820, ZXHN E8822><E8810 V1.0.26, E8810 V2.0.1, E8820 V1.1.3L, E8820 V2.0.13, E8822 V2.0.13>
ZTE E8810/E8820/E8822 series routers have an information leak vulnerability, which is caused by hard-coded MQTT service access credentials on the device. The remote attacker could use this credential to connect to the MQTT server, so as to obtain information about other devices by sending specific topics. This affects:<ZXHN E8810, ZXHN E8820, ZXHN E8822><E8810 V1.0.26, E8810 V2.0.1, E8820 V1.1.3L, E8820 V2.0.13, E8822 V2.0.13>
This article is contributed. See the original author and article here.
2020 has been a year of ups and downs for all of us, lots of changes and lots of adjusting. I wanted to look back at the year and look at the highlights from the community pulling together and the awesome new features/products that have been launched.
Azure Regions
Azure Regions
We’ve seen a whole host of new Azure regions announced this year, some are expanding on existing regions while others are brand new regions:
Taiwan
Austria
Spain
Brazil
Arizona
Poland
Italy
Greece
Azure Security Centre
Azure Security Centre
Azure Security Centre has seen some great new features and developments this year. For me, the two highlights have been Asset Inventory and Multi Cloud Support. Asset Inventory is in preview, but it provides you with an overview of the security posture of the resources you have connected to Security Center.
Multi Cloud support means those who have an environment spanning across a multi cloud environment can integrate Amazon Web Services (AWS) Security Hub and Google Cloud Platform (GCP) Security Command into Security Centre.
Azure VMware Solution went Generally Available
Azure VMware Solution
The Azure VMware Solution (AVS) offering went Generally Available (GA) in September 2020. AVS offers a great solution for companies who are looking to move their workloads from Azure but want to stay with VMware as well. This offers the best of both worlds, utilizing the familiar VMware platform while making use of the scale and reliability of Azure.
Azure Stack HCI
Azure Stack HCI
Azure Stack HCI, as a hyper-converged infrastructure (HCI) solution was announced expanding the Azure Stack Portfolio at Inspire 2020.
Azure Stack HCI is a hyper-converged cluster solution that runs virtualized Windows and Linux workloads in a hybrid on-premises environment. Potential user cases for this are datacenter modernization, branch office scenarios and Virtual Desktop infrastructure or even running Kubernetes clusters.
The Azure Stack HCI operating system (OS) is a specialized OS with streamlined composition and newer components than Windows Server 2019, meaning it includes a minimal local user interface and is designed for remote management.
Azure Arc
Azure Arc
Lots of companies are now facing a multi cloud environment, either by design or by accident through shadow IT and managing all those resources to make sure they compliant with company policies can be a bit of a challenge, or even a nightmare. What Azure Arc enables you to do it is manage your virtual machines, Kubernetes clusters and database that don’t live on Azure as if they are running in Azure. Giving you that one management plane to ensure you can have all your resources compliant to company policies.
Private Azure Marketplace
This is an announcement that happened at Microsoft Ignite that I missed until this month. Private Azure Marketplace is in preview and it allows administrators to govern which third party solutions can be used, that comply and match your enterprise’s policies. I know a lot of customers that will be interested in this as the Azure Marketplace has always been something that they have struggled to control from a cost and compliance point of view.
Community
This year has seen nearly all conferences, community events and meetings into virtual ones. And I definitely miss meeting up with everyone, collecting stickers and all the pizza you get a meetups, however what this year has offered is the change to “travel” to user groups and interact with the community in locations I might never be able to get to in person. This year I have had the pleasure of speaking at over 35 different events ranging from Microsoft Ignite to the local Azure User Groups here in the UK.
I’ve loved how the community has pulled together and managed to still have the meetups and conferences to share knowledge and fun.
The Glasgow Azure User Group organized sticker packs for some of the community around the world:
Loving seeing all the sticker packs arriving! Thank you to everyone for their support in making this an awesome community! :grinning_face: https://t.co/8Ikq4mYoCz
The Festive Tech Calendar launched for a second year, seeing people from the Azure, O365, PowerApps and more communities come together to share content and help each other out, while wearing some festive jumpers!
Each week we will publish a challenge co-created by Azure Advocates with some amazing Student Ambassadors around the world. Discover popular festive recipes and learn how Microsoft Azure empowers you to do more with Azure Serverless services! :fork_and_knife_with_plate: :smiling_face_with_heart_eyes:.
Explore our serverless Resources and learn how you can contribute solutions here.
In Korea, when New Year begins, everyone eats tteok-guk (rice cake soup). There are various shapes of tteok, but especially for greeting New Year, garae-tteok is the most popular to make the soup.
As garae-tteok has a long and cylindrical shape, people wish to live long, by eating tteok-guk. When cooking tteok-guk, the garae-tteok is sliced into small pieces, which look like coins. This coin-like shape is believed to bring wealth.
I took an interview video with MLSAs how they have implemented. They actually did awesome jobs! Although we took the video in Korean, we provide subtitles in both English and Korean. So, turn on the subtitles and you won’t regret it.
Ingredients (for 4 People)
Cooking tteok-guk is fairly straightforward. Here is the list of ingredients for four people.
Garae-tteok: 400g
Diced beef: 100g
Water: 10 cups
Eggs: 2
Spring onion: 1
Minced garlic: 1 tablespoon
Soy sauce: 2 tablespoon
Sesame oil: 1 tablespoon
Olive oil: 1 tablespoon
Salt and pepper
Recipe
The simplest way to cook tteok-guk is the following:
Slice garae-tteok into small pieces – no thicker than 5 mm.
You can buy sliced garae-tteok.
But in this case, put the sliced garae-tteok into a bowl of water for about 30 mins.
Slice spring onion.
At high heat, stir-fry the diced beef with sesame oil and olive oil until the beef surface goes brown.
Put the water into the wok and boil for about 30 mins with medium heat.
While boiling, remove bubbles from the water from time to time.
Get the eggs beaten.
After the 30 mins, put the minced garlic and soy sauce into the boiled soup. Add some salt, if necessary.
Add the beaten egg and sliced spring onion.
Serve the soup with pepper drizzled on top.
You Jin depicted the recipe in the flow-chart format (some letters are in Korean).
Recipe Steps Implementation
As each step takes time to complete, the prep time is simulated by a timer. Azure Durable Function offers the Timer feature, which perfectly fits this case.
After the aggregation, Run the Step 4 (Boiling). While boiling, bubbles randomly occur, which should be removed (Step 5).
Then, add garlic and sauce (Step 7), Add beaten eggs and spring onion (Step 8), and finally serve the soup by adding salt and pepper (Step 9). Step 9 returns a random tteok-guk image from Azure Blob Storage, and the image is sent to the designated email.
At this stage, we have to consider the two-minute limitation of Logic Apps during this execution. Therefore, instead of using the HTTP action, we used the HTTP webhook action to overcome this restriction. The following screenshot shows the end-to-end execution result.
As you can see the last action, the tteok-guk image is sent to the given email like this:
Recipe Automatic Build and Deployment
Both Durable Function apps and Logic App orchestration are all automatically built and deployed to Azure via GitHub Actions. You can find more details at the following links. As we used Bicep to build ARM template, you might like to know more about it. This link would be helpful, if you like.
The first plan was to migrate the Logic App to Power Automate flow. However, we eventually decided to separate Power Automate side from Logic App side. Within the Power Automate workflow, we call the Logic App workflow using the webhook action. As Power Apps calls this Power Automate workflow, it sends the result back to the Power App through the push notification.
In order to use the push notification feature on Power Automate, we should slightly update the Logic App. The final action on the Logic App is not only sending an email but also calling back to the Power Automate with the image URL.
Power Apps Build
To call Power Automate workflow with parameters, we used Power Apps. The following screenshot shows which controls we used in the Power Apps canvas.
Once completed, publish the Power Apps and run it on our mobile phone. And here’s the result.
So far, we have built an end-to-end solution to cook tteok-guk, using Azure serverless services including Power Platform. The entire source code can be fount at this repository:
As this repository also contains the sample Power Apps and Power Automate workflow, download the zip files and import them to your Power Platform and run them. It will be super easy! If you like to challenge the other recipes, check out this page, #SeasonsOfServerless!
This article was originally published on Dev Kimchi.
As a first step, please download the log analytics queries in this GitHub repo that we will be using to set up the following custom dashboards. We are going to create the following charts in this article:
Top 20 Long Running Queries by Execution time in a given interval
Number of Rows processed per hour
Most Rows Processed Per Query step
Number of Rows processed per Query
Navigate to the Log Analytics workspace you configured to receive Synapse diagnostic data as shown below.
Close out the ‘queries’ popup and paste in the text from ‘Top20LongrunningQueries.txt’ file in the GitHub link provided above (image below for your reference). Replace the database name with your database name.
You can save the query for future use with a name that corresponds to the query goal. For example, ‘LongRunningQueriesbyexecutiontime’
Press ctrl-A to select all the contents in the query window, including the commented out portions. Press Run to execute the Query. Once you get the results, select ‘Pin to dashboard’ then in the popup choose the dashboard we are working on and click ‘pin’
Navigate to your dashboard and find the chart that you just pinned. Click the pencil icon to rename the chart to fit the purpose.
In the popup at the top of the window click ‘save’ – you will want to do this each time you make a change or all the changes you made will be discarded.
Navigate back to the log analytics workspace and paste in the text from the file ‘Top20Stepsthatmovedmostnumberofrows.txt’ that you downloaded. Save the query, select all the contents in query window and run. Once you get the results, pin it to the dashboard.
Without leaving the query window, click the ‘Chart’ button. The output will switch to a chart view. Set the 3 parameters as shown in the screenshot below – note that you will need to set ‘OperationType_s’ first to be able to set the first parameter to RequestID_s. Pin this chart to the dashboard as well.
Navigate back to the dashboard and rename both the charts and save the dashboard.
Repeat the process for query, RowsProcessedPerHour.txt as well and pin the chart to the dashboard.
Now for all the above 4 charts, click the context menu option (ellipsis button to the top right corner) and select configure tile settings. Make sure to uncheck the “Override the dashboard time settings at the tile level” option. This will let you automatically refresh the chart for the interval selected on the dashboard. It is important to configure this setting to interpret the results which will be discussed in the 3rd part in this series.
. 
Recent Comments