Security Leftovers
-
NVD damage continued
The person or team at NVD whose job it is to make up stuff for security vulnerabilities ranked this as CRITICAL 9.8. Almost as bad as it gets apparently. 10 is the max as you might recall.
When realizing this, at the end of May, I first fell off my chair in shock by this insanity, but after a quick recovery I emailed them (again) and complained (yet again) on setting this severity for *27536. I used the word “ridiculous” in my email to describe their actions. Why and who benefits from them scaremongering the world like this? It makes no sense. On the contrary, this is bad for everyone.
As a reaction to my complaint, someone at NVD went back and agreed to revise the CVSS string they had set and suddenly it was “only” ranked HIGH 7.2. I say “someone” because they never communicate with names and never sign the emails which whomever I talk to. They are just “NVD”.
I objected to their new CVSS string as well. It is just not a high severity security problem!
In my new argument I changed two particular details in the CVSS string (compared to the one they insisted was good) and presented arguments for that. For your pleasure, I include my exact wording belo
-
Intellihartx Informs 490k Patients of GoAnywhere-Related Data Breach
Intellihartx says the personal information of roughly 490,000 individuals was compromised in the GoAnywhere zero-day attack earlier this year.
-
Software Supply Chain: The Golden Container Ship
By having a golden image you will put a process in place that allows you to quickly take action when a vulnerability is found within your organization.
-
WhosHere Plus. Trilateration vulnerability
WhosHere Plus is a dating app that uses GPS data to recommend users near to each other, based on similar interests.
-
New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward
Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward.
-
Swiss Fear Government Data Stolen in Cyberattack
Switzerland said government operational data might have been stolen in a ransomware attack on a technology firm that provides software for several departments.
-
Fortinet Patches Critical FortiGate SSL VPN Vulnerability
Fortinet has patched CVE-2023-27997, a critical FortiGate SSL VPN vulnerability that can be exploited for unauthenticated remote code execution.