βΌ CVE-2021-45388 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-45608. Reason: This candidate is a reservation duplicate of CVE-2021-45608. Notes: All CVE users should reference CVE-2021-45608 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43436 βΌ
π Read
via "National Vulnerability Database".
MartDevelopers Inc iResturant v1.0 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45411 βΌ
π Read
via "National Vulnerability Database".
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45445 βΌ
π Read
via "National Vulnerability Database".
Unisys ClearPath MCP TCP/IP Networking Services 59.1, 60.0, and 62.0 has an Infinite Loop.π Read
via "National Vulnerability Database".
βΌ CVE-2021-28377 βΌ
π Read
via "National Vulnerability Database".
ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2021-28376 βΌ
π Read
via "National Vulnerability Database".
ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0012 βΌ
π Read
via "National Vulnerability Database".
An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0013 βΌ
π Read
via "National Vulnerability Database".
A file information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker to read the contents of arbitrary files on the system with elevated privileges when generating a support file. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0014 βΌ
π Read
via "National Vulnerability Database".
An untrusted search path vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker with file creation privilege in the Windows root directory (such as C:\) to store a program that can then be unintentionally executed by another local user when that user utilizes a Live Terminal session. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38892 βΌ
π Read
via "National Vulnerability Database".
IBM Planning Analytics 2.0 and IBM Planning Analytics Workspace 2.0 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote threat actor who can access (without previous authentication) a valid PA endpoint to read and write files to the IBM Planning Analytics system. Depending on file system permissions up to path traversal and possibly remote code execution. IBM X-Force ID: 209511.π Read
via "National Vulnerability Database".
π΄ Flashpoint Acquires Risk Based Security π΄
π Read
via "Dark Reading".
Flashpoint plans to integrate Risk Based Security data and technology into its platform to boost threat intelligence and vulnerability management.π Read
via "Dark Reading".
Dark Reading
Flashpoint Acquires Risk Based Security
Flashpoint plans to integrate Risk Based Security data and technology into its platform to boost threat intelligence and vulnerability management.
β Stolen TikTok Videos, Bent on Fraud, Invade YouTube Shorts β
π Read
via "Threat Post".
Scammers easily game YouTube Shorts with viral TikTok content, bilking both creators and users.π Read
via "Threat Post".
Threat Post
Stolen TikTok Videos, Bent on Fraud, Invade YouTube Shorts
Scammers easily game YouTube Shorts with viral TikTok content, bilking both creators and users.
βΌ CVE-2022-21676 βΌ
π Read
via "National Vulnerability Database".
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42561 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23116 βΌ
π Read
via "National Vulnerability Database".
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42558 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23109 βΌ
π Read
via "National Vulnerability Database".
Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20615 βΌ
π Read
via "National Vulnerability Database".
Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23108 βΌ
π Read
via "National Vulnerability Database".
Jenkins Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21675 βΌ
π Read
via "National Vulnerability Database".
Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Versions of the package prior to 2.11.0 are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip"). The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The Zip Slip vulnerability can affect numerous archive formats, including zip, jar, tar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victimΓΒ’Γ’β¬ÒβΒ’s machine. The impact of a Zip Slip vulnerability would allow an attacker to create or overwrite existing files on the filesystem. In the context of a web application, a web shell could be placed within the application directory to achieve code execution. All users should upgrade to BCV v2.11.0 when possible to receive a patch. There are no recommended workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20613 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.π Read
via "National Vulnerability Database".