資安事件新聞週報  2019/5/13  ~  2019/5/17

1.重大弱點漏洞/後門/Exploit/Zero Day
Fortinet FortiSandbox跨站腳本漏洞   CVE-2018-1356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1356

GPS追蹤器的安全漏洞將允許駭客得知用戶位置或竊聽
https://www.ithome.com.tw/news/130585

Titan藍牙硬體金鑰有安全漏洞，Google將免費換新
https://ithome.com.tw/news/130673

WordPress網站的安全漏洞有98%來自外掛程式
https://www.ithome.com.tw/news/130713

VMWare 產品權限提升漏洞
https://www.us-cert.gov/ncas/current-activity/2019/05/14/VMware-Releases-Security-Updates

Toshiba 和 Brother 印表機Web Services列印存在安全漏洞
https://net.nthu.edu.tw/netsys/mailing:announcement:20190515_02

Coros announces VERTIX GPS adventure watch: 45-day battery life and extreme operating profile
https://www.zdnet.com/article/coros-announces-vertix-gps-adventure-watch-45-day-battery-life-and-extreme-operating-profile/#ftag=RSSbaffb68

HAProxy 安全漏洞 CVE-2019-11323
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11323

資安事件新聞週報  2019/5/6  ~  2019/5/10

1.重大弱點漏洞/後門/Exploit/Zero Day
八種無線演示系統中的關鍵漏洞
https://www.chainnews.com/articles/111363306365.htm

Dell 預載軟體成為 PC 被駭的後門
https://chinese.engadget.com/2019/05/04/supportassist-dell-vulnerability-windows/

安全研究人員發現戴爾支持助手客戶端存在安全漏洞會引發遠程攻擊
https://www.landiannews.com/archives/58210.html

Office 2016更新臭蟲引發當機，遭微軟緊急撤除
https://www.ithome.com.tw/news/130505?fbclid=IwAR1Q5Dpo1wj_lF95EFYrGqzbb0u9bJu3yG7-UoeARiAB1VAXNAcxQ1Y_zxU

華碩與技嘉的驅動程式遭爆含有權限擴張漏洞
https://0nion.com/article/27466

Jenkins外掛存在安全漏洞，衍生密碼外洩或跨站攻擊風險
https://www.ithome.com.tw/news/130412

Jenkins外掛程序存在安全漏洞，有資料外洩和跨網站攻擊等風險
http://www.twoeggz.com/news/14467228.html

黑客三年來一直向APT組織提供微軟零日漏洞
http://521.li/post/628.html

資安事件新聞週報  2019/4/29  ~  2019/5/3

1.重大弱點漏洞
Symantec 產品多個漏洞
https://www.auscert.org.au/bulletins/79594

Fortinet FortiManager 洩露敏感資料漏洞
https://www.auscert.org.au/bulletins/79762

思科修補Nexus 9000網路交換器重大漏洞
https://www.ithome.com.tw/news/130397

New Exploits for Unsecure SAP Systems
https://www.us-cert.gov/ncas/alerts/AA19-122A

九成SAP用戶權限沒關好！13年前問題設定恐讓駭客任意存取App
https://www.ithome.com.tw/news/122772

Memcached 阻斷攻擊漏洞
https://github.com/memcached/memcached/wiki/ReleaseNotes1514

CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting
https://www.exploit-db.com/exploits/46784

思科產品多個漏洞
https://www.us-cert.gov/ncas/current-activity/2019/05/01/Cisco-Releases-Security-Updates

D-Link camera vulnerability allows attackers to tap into the video stream
https://www.welivesecurity.com/2019/05/02/d-link-camera-vulnerability-video-stream/

Netgear DGN2200 / DGND3700 - Admin Password Disclosure
https://www.exploit-db.com/exploits/46764

Dell laptops and computers vulner…

5月份資安、社群活動分享

 108年度資安初學者挑戰活動 (MyFirstCTF) 5/1 ~ 5/10 報名
 https://ais3.org/mfctf/

 HackingThursday 固定聚會  5/2
 https://www.meetup.com/hackingthursday/events/vkhnnqyzhbdb/

 Python 商務網站 ＊ 極速學習 (2019春季 - 台北)  5/2
 https://cjltsod.kktix.cc/events/django-2019-spring-taipei

 國票金控「純網銀鯰魚與資安技術漣漪」日本樂天技術結合台灣AI 人工智慧發表會  5/2
 https://www.accupass.com/event/1904111400151860776797

 資安法 X 技術實務論壇  5/2
 https://csa.kktix.cc/events/csa190502

 國立交通大學 亥客書院 - 基礎網站安全建構實務  5/4
 https://hackercollege.nctu.edu.tw/?p=1045

 ISDA 白帽菁英萌芽計劃II 0505 
 https://reg.shield.org.tw/info.php?no=54

 Pwn入門  5/5
 https://hackersir.kktix.cc/events/fcu190505

 Elixir台灣 台北 Meetup # Monday, May 6, 2019
 https://www.meetup.com/elixirtw-taipei/events/njjhvpyzhbjb/

 公部門之AI資安防護新思維研討會 5/7
 http://www.cisanet.org.tw/News/activity_more?id=MTQzOA==

 向資安服務看齊 我們一起讓資安從「有做」到「有效」  5/8 ~ 5/10
 https://www.informationsecurity.com.tw/Seminar/2019_all/

 資安危機 - 進擊的勒索加密軟體 2019-05-09(四) 14:45 ~ 17:00
 https://www.accupass.com/event/19041703435474776…

資安事件新聞週報  2019/4/22  ~  2019/4/26

1.重大弱點漏洞
CVE-2019-3799：spring-cloud-config-server目錄遍歷漏洞警告
https://www.linuxidc.com/Linux/2019-04/158191.htm

jQuery 的“原型污染”安全漏洞
https://www.oschina.net/news/106124/jquery-impacted-by-prototype-pollution-flaw

Symantec 產品多個漏洞
https://www.auscert.org.au/bulletins/79594

Google Android System信息洩露漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2021

Google Chrome 74 released with Dark Mode support for Windows users
https://www.zdnet.com/article/google-chrome-74-released-with-dark-mode-support-for-windows-users/#ftag=RSSbaffb68

CyberDairy Solutions SQLi
https://www.anquanke.com/vul/id/1576754

D-Link DI-524跨站脚本漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11017

甲骨文 WebLogic 遠端執行程式碼漏洞
https://www.zdnet.com/article/new-oracle-weblogic-zero-day-discovered-in-the-wild/

Oracle MySQL Server拒絕服務漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2634

Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert
http://bit.ly/2vikKch

關於Oracle WebLogic反序列化遠程命令執行…

資安事件新聞週報  2019/4/15  ~  2019/4/19

1.重大弱點漏洞
阿里巴巴被發現了一個可以繞過WAF的漏洞
https://nosec.org/home/detail/2483.html

中國蟻劍被曝XSS 漏洞，可導致遠程命令執行
http://www.sohu.com/a/307475721_354899?sec=wd

Electronic Arts修補含有遠端程式攻擊漏洞的客戶端程式
https://www.ithome.com.tw/news/130052

Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting
https://www.exploit-db.com/exploits/46706

Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)
https://www.exploit-db.com/exploits/46693

CyberArk EPM 10.2.1.603 - Security Restrictions Bypass
https://www.exploit-db.com/exploits/46688

卡巴斯基實驗室：win32k.sys又曝出了新的零日漏洞
https://nosec.org/home/detail/2490.html

New zero-day vulnerability CVE-2019-0859 in win32k.sys
https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/

Shimo VPN 輸入驗證錯誤漏洞
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4009

Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPN's helper tool
https://blog.talosintelligence.com/2019/04/vulner…