βΌ CVE-2021-45830 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43816 βΌ
π Read
via "National Vulnerability Database".
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43779 βΌ
π Read
via "National Vulnerability Database".
GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21651 βΌ
π Read
via "National Vulnerability Database".
Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved in version 5.7.7. There is no workaround and users are advised to upgrade as soon as possible.π Read
via "National Vulnerability Database".
π΄ New Attack Campaign Exploits Microsoft Signature Verification π΄
π Read
via "Dark Reading".
The Malsmoke attack group is behind a campaign that has exploited the Microsoft e-signature verification tool to target 2,100 victims.π Read
via "Dark Reading".
Dark Reading
New Attack Campaign Exploits Microsoft Signature Verification
The Malsmoke attack group is behind a campaign that has exploited the Microsoft e-signature verification tool to target 2,100 victims.
β βElephant Beetleβ Lurks for Months in Networks β
π Read
via "Threat Post".
The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.π Read
via "Threat Post".
Threat Post
βElephant Beetleβ Lurks for Months in Networks
The group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.
β 1.1M Compromised Accounts Found at 17 Major Companies β
π Read
via "Threat Post".
The accounts fell victim to credential-stuffing attacks, according to the New York State AG.π Read
via "Threat Post".
Threat Post
1.1M Compromised Accounts Found at 17 Major Companies
The accounts fell victim to credential-stuffing attacks, according to the New York State AG.
βΌ CVE-2021-45832 βΌ
π Read
via "National Vulnerability Database".
A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 at at hdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent).π Read
via "National Vulnerability Database".
βΌ CVE-2022-21653 βΌ
π Read
via "National Vulnerability Database".
Jawn is an open source JSON parser. Extenders of the `org.typelevel.jawn.SimpleFacade` and `org.typelevel.jawn.MutableFacade` who don't override `objectContext()` are vulnerable to a hash collision attack which may result in a denial of service. Most applications do not implement these traits directly, but inherit from a library. `jawn-parser-1.3.1` fixes this issue and users are advised to upgrade. For users unable to upgrade override `objectContext()` to use a collision-safe collection.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45833 βΌ
π Read
via "National Vulnerability Database".
A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent).π Read
via "National Vulnerability Database".
βΌ CVE-2021-46144 βΌ
π Read
via "National Vulnerability Database".
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43947 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0121 βΌ
π Read
via "National Vulnerability Database".
hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actorπ Read
via "National Vulnerability Database".
βΌ CVE-2022-22704 βΌ
π Read
via "National Vulnerability Database".
The zabbix-agent2 package before 5.4.9-r1 for Alpine Linux sometimes allows privilege escalation to root because the design incorrectly expected that systemd would (in effect) determine part of the configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46141 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46143 βΌ
π Read
via "National Vulnerability Database".
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0122 βΌ
π Read
via "National Vulnerability Database".
forge is vulnerable to URL Redirection to Untrusted Siteπ Read
via "National Vulnerability Database".
βΌ CVE-2021-46142 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.π Read
via "National Vulnerability Database".
ποΈ Insecure Amazon S3 bucket exposed personal data on 500,000 Ghanaian graduates ποΈ
π Read
via "The Daily Swig".
Cloud storage misconfiguration left sensitive data openly accessibleπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Insecure Amazon S3 bucket exposed personal data on 500,000 Ghanaian graduates
Cloud storage misconfiguration left sensitive data openly accessible
βΌ CVE-2022-22707 βΌ
π Read
via "National Vulnerability Database".
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes), as demonstrated by remote denial of service (daemon crash).π Read
via "National Vulnerability Database".
βΌ CVE-2021-36737 βΌ
π Read
via "National Vulnerability Database".
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifactπ Read
via "National Vulnerability Database".