The gridelements (aka Grid Elements) extension through 7.6.1, 8.x through 8.7.0, 9.x through 9.7.0, and 10.x through 10.2.0 extension for TYPO3 allows XSS.

Tue. 26th April, 2022

It has been discovered that the extension "Grid Elements" (gridelements) is susceptible to Cross-Site Scripting.

*   Release Date: April 26, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "Grid Elements" (gridelements)
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 7.6.1 and below, 8.0.0 - 8.7.0, 9.0.0 - 9.7.0 and 10.0.0 - 10.2.0
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-29602

**Problem Description**

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Solution**

Updated versions 7.7.0, 8.8.0, 9.8.0 and 10.3.0 are available from the TYPO3 extension manager, packagist and at   
https://extensions.typo3.org/extension/download/gridelements/10.3.0/zip  
https://extensions.typo3.org/extension/download/gridelements/9.8.0/zip  
https://extensions.typo3.org/extension/download/gridelements/8.8.0/zip  
https://extensions.typo3.org/extension/download/gridelements/7.7.0/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to TYPO3 Security Team member Oliver Hader for reporting the vulnerability and to Jo Hasenau  for providing updated versions of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-29602: Cross-Site Scripting in extension "Grid Elements" (gridelements)

The seminars (aka Seminar Manager) extension through 4.1.3 for TYPO3 allows SQL Injection.

Tue. 26th April, 2022

It has been discovered that the extension "Seminar Manager" (seminars) is susceptible to SQL Injection.

*   Release Date: April 26, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "Seminar Manager" (seminars)
*   Vulnerability Type: SQL Injection
*   Affected Versions: 4.1.3 and below
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:X
*   References: CVE-2022-29601

**Problem Description**

The extension fails to properly sanitize user input and is susceptible to SQL Injection.

**Solution**

An updated version 4.1.4  is available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/seminars/4.1.4/zip/  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Tobias Köhler for reporting the issue and to Oliver Klee  for providing an updated version of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-29601: SQL Injection in extension "Seminar Manager" (seminars)

The schema (aka Embedding schema.org vocabulary) extension before 1.13.1 and 2.x before 2.5.1 for TYPO3 allows XSS.

Tue. 14th June, 2022

It has been discovered that the extension "Embedding schema.org vocabulary" (schema) is susceptible to Cross-Site Scripting.

*   Release Date: June 14, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "Embedding schema.org vocabulary" (schema)
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 1.13.0 and below, 2.0.0 - 2.5.0
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-33154

**Problem Description**

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Solution**

Updated versions 1.13.1 and 2.5.1 are available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/schema/1.13.1/zip  
https://extensions.typo3.org/extension/download/schema/2.5.1/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Chris Müller for reporting the vulnerability and for providing updated versions of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-33154: Cross-Site Scripting in extension "Embedding schema.org vocabulary" (schema)

The ameos_tarteaucitron (aka AMEOS - TarteAuCitron GDPR cookie banner and tracking management / French RGPD compatible) extension before 1.2.23 for TYPO3 allows XSS.

Tue. 14th June, 2022

It has been discovered that the extension "AMEOS - TarteAuCitron (GDPR cookie banner and tracking management / French RGPD compatible)" (ameos\_tarteaucitron) is susceptible to Cross-Site Scripting.

*   Release Date: June 14, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "AMEOS - TarteAuCitron (GDPR cookie banner and tracking management / French RGPD compatible)" (ameos\_tarteaucitron)
*   Vulnerability Type: Cross-Site Scripting
*   Affected Versions: 1.2.22 and below
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C
*   References: CVE-2022-33155

**Problem Description**

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

**Solution**

An updated version 1.2.23 is available from the TYPO3 extension manager, packagist and at    
https://extensions.typo3.org/extension/download/ameos\_tarteaucitron/1.2.23/zip  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to TYPO3 Security Team member Torben Hansen for reporting the vulnerability and to Luc Muller for providing an updated version of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-33155: Cross-Site Scripting in extension "AMEOS - TarteAuCitron (GDPR cookie banner and tracking management / French RGPD compatible)" (ameos_tarteaucitron)

The oelib (aka One is Enough Library) extension through 4.1.5 for TYPO3 allows SQL Injection.

Tue. 26th April, 2022

It has been discovered that the extension "One is Enough Library" (oelib) is susceptible to SQL Injection.

*   Release Date: April 26, 2022
*   Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
*   Component: "One is Enough Library" (oelib)
*   Vulnerability Type: SQL Injection
*   Affected Versions: 4.1.5 and below
*   Severity: Medium
*   Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:X
*   References: CVE-2022-29600

**Problem Description**

The extension fails to properly sanitize user input and is susceptible to SQL Injection.

**Solution**

An updated version 4.1.6  is available from the TYPO3 extension manager, packagist and at  
https://extensions.typo3.org/extension/download/oelib/4.1.6/zip/  
Users of the extension are advised to update the extension as soon as possible.

**Credits**

Thanks to Oliver Klee  for providing an updated version of the extension.

**General Advice**

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

CVE-2022-29600: SQL Injection in extension "One is Enough Library" (oelib)

Implemented protections on AWS credentials that were not properly protected.

**WDC Tracking Number:** WDC-22009  
**Published:** July 11, 2022

**Last Updated:** July 11, 2022

**Description**

My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.

The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.

Additionally, the Linux kernel has been updated to 4.9.266.

Your My Cloud Home device will be automatically updated to reflect the latest firmware version.    

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud Home

8.7.0-107

July 8, 2022

My Cloud Home Duo

8.7.0-107

July 8, 2022

For more information on the latest security updates, see the release notes.

**Advisory Summary**

A vulnerability in the Linux kernel’s cgroup\_release\_agent\_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.  

Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.

**CVE Number:** CVE-2022-0778  

Addressed a memory copy vulnerability in the Linux Wi-Fi driver.  

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994

Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative  

A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

**CVE Number:** CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi\_im\_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291  

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.  

Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.  

Transitioned to Go’s crypto/tls library for secure communications.  

Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.  

Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..

**CVE Number:** CVE-2022-22997, CVE-2022-22998

Western Digital would like to thank Viettel Cyber Security for reporting this issue.  

Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.

**CVE Number:** CVE-2022-0562, CVE-2022-0561, CVE-2022-0865  

Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.

**CVE Number:** CVE-2022-29191, CVE-2022-29213, CVE-2022-29208

CVE-2022-22998: WDC-22009 My Cloud Home Firmware Version 8.7.0-107 | Western Digital

Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows' installer execute a binary into `C:\mingw64\bin\git.exe` by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. Create the `C:\mingw64` folder and remove read/write access from this folder, or disallow arbitrary authenticated users to create folders in `C:\`.

Changes since Git for Windows v2.37.0 (June 27th 2022)

This release addresses CVE-2022-31012 and CVE-2022-29187.

**New Features**

*   Comes with Git v2.37.1.
*   Comes with OpenSSL v1.1.1q.
*   Comes with Git Credential Manager Core v2.0.785.
*   Comes with tig v2.5.5.

**Bug Fixes**

*   Pasting large amounts of text in Git for Windows' Bash when running inside Windows Terminal often resulted in garbled text, which has been fixed.
*   The Perl module perl-Clone which linked to a non-existing DLL was rebuilt to fix the issue.
*   The Git for Windows installer can no longer be tricked into running an untrusted git.exe in elevated mode (CVE-2022-31012).
*   When running Git in a world-writable directory owned by the current user (think C:\Windows\Temp, when running under the SYSTEM account), the checks for dubious ownership of the .git directory now detect this situation properly (CVE-2022-29187).

Filename

SHA-256

Git-2.37.1-64-bit.exe

1966761ad2c9e4cbd38f9e583b1125949b011a5a250a99d65e9bb21958e6ef8b

Git-2.37.1-32-bit.exe

714069fe4291c4ca7a51f7e7e81b0c94038590294f3b9e0981456a664c92966b

PortableGit-2.37.1-64-bit.7z.exe

b0bc403bb03326b835e239b3bf7c0af277f43eba5421132dc8531204c78b6b25

PortableGit-2.37.1-32-bit.7z.exe

1a32f1de26d52ef866f27db395d8ab6bd9dc4c53bfc0161937b20f8749b4d96b

MinGit-2.37.1-64-bit.zip

edacf2d5c39555c25a396e0b9d27182ab5587259dc2e824b4490996b373f9300

MinGit-2.37.1-32-bit.zip

b336137fb286552c5c2616af50c54e9aca7d16a24ec1b00189a6c221a81af14c

MinGit-2.37.1-busybox-64-bit.zip

1fb7db2cb181ef962e06b1b99c4b254b3ace6f6dce73740bd498d3948189ca42

MinGit-2.37.1-busybox-32-bit.zip

7470ec55d4ac0ddc3738614dbfe6642770a001b0bae9d3c944e22e25019bf16d

Git-2.37.1-64-bit.tar.bz2

b1c87e136947102ce32f75ef880ebee79b547f8ef33bb1b5010c3455ac83a655

Git-2.37.1-32-bit.tar.bz2

b0fef8f618e5e5cdad200571211fb6b42be595ef55bf8b648b8211c8bd5e02ea

CVE-2022-31012: Release Git for Windows 2.37.1 · git-for-windows/git

Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack.

**Ba Jinsheng** bajinsheng at u.nus.edu  
_Wed Sep 8 22:28:48 PDT 2021_

*   Previous message (by thread): \[Live-devel\] Memory Leak in MPEGProgramStreamParser
*   Next message (by thread): \[Live-devel\] A Heap-overflow in FD\_ISSET
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Hi,

There may be another similar overflow bug about the fd\_set in BasicUsageEnvironment/BasicTaskScheduler.cpp:115
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  for (int i = 0; i < 10000; ++i) {
    if (FD\_ISSET(i, &fReadSet) || FD\_ISSET(i, &fWriteSet) || FD\_ISSET(i, &fExceptionSet)) {
      fprintf(stderr, " %d(", i);
      if (FD\_ISSET(i, &fReadSet)) fprintf(stderr, "r");
      if (FD\_ISSET(i, &fWriteSet)) fprintf(stderr, "w");
      if (FD\_ISSET(i, &fExceptionSet)) fprintf(stderr, "e");
      fprintf(stderr, ")");
    }
  }
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In default, the fd\_set should only support 1024 fds.
Sometimes, it incur the overflow as follow:

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000470 at pc 0x000000647338 bp 0x7ffff34b50d0 sp 0x7ffff34b50c8
READ of size 8 at 0x619000000470 thread T1
    #0 0x647337 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61
    #1 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
    #2 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41
    #3 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14
    #4 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock\*, unsigned char, FramedSource\*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
    #5 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr\_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr\_storage&, unsigned char&, unsigned char&, Port&, Port&, void\*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6
    #6 0x4e412f in RTSPServer::RTSPClientSession::handleCmd\_SETUP\_afterLookup2(ServerMediaSession\*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17
    #7 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19
    #8 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3
    #9 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void\*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15
    #10 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #11 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
    #12 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41
    #13 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14
    #14 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock\*, unsigned char, FramedSource\*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22
    #15 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr\_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr\_storage&, unsigned char&, unsigned char&, Port&, Port&, void\*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6
    #16 0x4e412f in RTSPServer::RTSPClientSession::handleCmd\_SETUP\_afterLookup2(ServerMediaSession\*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17
    #17 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19
    #18 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3
    #19 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void\*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15
    #20 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2
    #21 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile\*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5

0x619000000470 is located 0 bytes to the right of 1008-byte region \[0x619000000080,0x619000000470)
allocated by thread T1 here:
    #0 0x4c789d in operator new(unsigned long) (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x4c789d)
    #1 0x645882 in BasicTaskScheduler::createNew(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:32:9


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61 in BasicTaskScheduler::SingleStep(unsigned int)
Shadow bytes around the buggy address:
  0x0c327fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa
  0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13==ABORTING




Best regards,
Jinsheng Ba

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20210909/84e04d3f/attachment-0001.htm\>

*   Previous message (by thread): \[Live-devel\] Memory Leak in MPEGProgramStreamParser
*   Next message (by thread): \[Live-devel\] A Heap-overflow in FD\_ISSET
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the live-devel mailing list

CVE-2021-41396: [Live-devel] A Heap-overflow in FD_ISSET

If you're not teaching all of your employees proper security hygiene, you are leaving the door open to risk. Close that door by providing accessible training.

Many studies show that companies with gender and racial diversity within their board, leadership team, and workforce are more likely to have increased profitability and greater competitive advantage. Equitable access for all employees is an important part of ensuring diversity with the organization, but companies have a long way to go when it comes to accessibility, especially for people with disabilities.

According to the World Economic Forum, businesses that include disabled people see as much of an improvement in performance as those with higher degrees of female and racial minority representation. "With 28% higher revenue, double net income, 30% higher profit margins, and strong next generation talent acquisition and retention, a disability-inclusive business strategy promises a significant return on investment," its Valuable 500 project asserts.

Within cybersecurity, security awareness training programs are an incredibly important part of preventing breaches, given most attacks use some form of social engineering. However, many such programs are not fully accessible for all employees. This increases the risk of security threats, as a swath of employees are not educated or trained to recognize security threats, properly respond, and escalate.

For many, their online experience is already challenged by language barriers. An estimated 98% of Web pages are published in just 12 languages, and more than half of them are English, yet less than half of the world's population speaks one of those 12 languages as their first language.

This is compounded by the difficulties put in the way of people with disabilities. The average website home page contains more than 50 accessibility errors. Combine that with the poor digital usage rates of individuals who need accessible content most, and you can see how a significant number of users aren't getting the information they need to keep them, as well as their employers, safe from cybersecurity threats.

Human error exposes organizations to tremendous risk, as cyber breaches are often caused by these mistakes. When companies don't prioritize accessibility in training employees, they exclude a portion of their workforce who then cannot help combat cyber threats. If your security awareness training program isn't inclusive of diverse populations and does not meet minimum accessibility standards, you are more vulnerable to attack, and those you have not trained will be your weakest spots.

**What Is Accessible Security Awareness Training?**

Accessible security awareness training maximizes inclusivity — or, to reverse the thinking slightly, minimizes the number of people excluded from the program. This means the training content can be viewed by individuals who prefer learning in a language not considered the main language in your city or country, and individuals living with a disability and/or who use assistive technology, such as a screen reader, to consume digital content.

Basically, the training must be designed with all users in mind. From text courses to interactive learning and overall structure, there are a lot of variables to consider. Built-in customization gives those who require an alternate learning experience the opportunity to tailor training to their specific needs. This can be as simple as a tick box that serves as an opt-in for the accessible version of your security awareness training.

**7 Ways to Make Security Awareness Training More Accessible**

Truly accessible security awareness training content is built from the ground up, with various measures considered early in the creative process. Here are seven tips to help make your security awareness training more accessible to all users:

1.  Write clearly and concisely for better understanding.
2.  Make training available in multiple languages.
3.  Clean up your lesson structure to make content streamlined.
4.  Carefully consider the colors and contrasts you use.
5.  Use descriptive links and alt text.
6.  If video is essential, use closed captions.
7.  Use pop-out windows to maintain interactivity.

By considering these tips when designing your security awareness training program, you are including all people within your organization, which supports a culture of vigilant employees.

We implement security awareness training to equip our employees with the best tools possible, so they can help prevent cyberattacks and breaches. We need to make sure everyone is as safe online as they possibly can be. If accessibility is not present, we are failing our employees and creating risk within our organization.

Remember to check in on your organization's security awareness training program and determine what improvements can be made. Listen to your employees and recognize their needs so that you create the best possible first line of defense against security threats.

Accessible Cybersecurity Awareness Training Reduces Your Risk of Cyberattack

A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions), SICAM GridEdge Essential Intel (All versions < V2.7.3), SICAM GridEdge Essential with GDS ARM (All versions), SICAM GridEdge Essential with GDS Intel (All versions < V2.7.3). Affected software uses an improperly protected file to import SSH keys. Attackers with access to the filesystem of the host on which SICAM GridEdge runs, are able to inject a custom SSH key to that file.

%PDF-1.5 %���� 56 0 obj << /Length 2530 /Filter /FlateDecode >> stream x��ZKs�8��W�HU�\`���hb���q�䤶�90ms�אR���� � )ъ

Tag

#perl