βΌ CVE-2022-22116 βΌ
π Read
via "National Vulnerability Database".
In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victimΓ’β¬β’s browser when they open the image URL.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44586 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in dst-admin v1.3.0. The product has an unauthorized arbitrary file download vulnerability that can expose sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0156 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Use After Freeπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0158 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Heap-based Buffer Overflowπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25052 βΌ
π Read
via "National Vulnerability Database".
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22115 βΌ
π Read
via "National Vulnerability Database".
In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24948 βΌ
π Read
via "National Vulnerability Database".
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft postsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25054 βΌ
π Read
via "National Vulnerability Database".
The WPcalc WordPress plugin through 2.1 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44458 βΌ
π Read
via "National Vulnerability Database".
Linux users running Lens 5.2.6 and earlier could be compromised by visiting a malicious website. The malicious website could make websocket connections from the victim's browser to Lens and so operate the local terminal feature. This would allow the attacker to execute arbitrary commands as the Lens user.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25047 βΌ
π Read
via "National Vulnerability Database".
The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Scripting (XSS) vulnerability in the wdi_apply_changes admin page, allowing an attacker to perform such attack against any logged in usersπ Read
via "National Vulnerability Database".
βΌ CVE-2021-43949 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature. The affected versions are before version 4.21.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25043 βΌ
π Read
via "National Vulnerability Database".
The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-22121 βΌ
π Read
via "National Vulnerability Database".
In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0157 βΌ
π Read
via "National Vulnerability Database".
phoronix-test-suite is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-24862 βΌ
π Read
via "National Vulnerability Database".
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-22114 βΌ
π Read
via "National Vulnerability Database".
In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The Γ’β¬Εsearch term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victimΓ’β¬β’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24949 βΌ
π Read
via "National Vulnerability Database".
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2021-23218 βΌ
π Read
via "National Vulnerability Database".
When running with FIPS mode enabled, Mirantis Container Runtime 20.10.8 leaks memory during TLS Handshakes which could be abused to cause a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25051 βΌ
π Read
via "National Vulnerability Database".
The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.π Read
via "National Vulnerability Database".
π¦Ώ Weekly cyberattacks jumped by 50% in 2021, with a peak in December due largely to the Log4J exploit π¦Ώ
π Read
via "Tech Republic".
Check Point Research said Africa had the highest amount with an average of 1,582 per week per organization. Here's how to combat the latest surge in attacks.π Read
via "Tech Republic".
TechRepublic
Weekly cyberattacks jumped by 50% in 2021, with a peak in December due largely to the Log4J exploit
Check Point Research said Africa had the highest amount with an average of 1,582 per week per organization. Here's how to combat the latest surge in attacks.
π Haveged 1.9.17 π
π Read
via "Packet Storm Security".
haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.π Read
via "Packet Storm Security".
Packetstormsecurity
Haveged 1.9.17 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers