βΌ CVE-2021-38694 βΌ
π Read
via "National Vulnerability Database".
SoftVibe SARABAN for INFOMA 1.1 allows SQL Injection.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38785 βΌ
π Read
via "National Vulnerability Database".
There is a NULL pointer deference in the Allwinner R818 SoC Android Q SDK V1.0 camera driver /dev/cedar_dev that could use the ioctl cmd IOCTL_GET_IOMMU_ADDR to cause a system crash.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38784 βΌ
π Read
via "National Vulnerability Database".
There is a NULL pointer dereference in the syscall open_exec function of Allwinner R818 SoC Android Q SDK V1.0 that could executable a malicious file to cause a system crash.π Read
via "National Vulnerability Database".
ποΈ Chrome to bolster CSRF protections with CORS preflight checks on private network requests ποΈ
π Read
via "The Daily Swig".
Phased rollout begins from Chrome 98 with DevTools warnings of failed preflight requestsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Chrome to bolster CSRF protections with CORS preflight checks on private network requests
Phased rollout begins from Chrome 98 with DevTools warnings of failed preflight requests
β Critical ManageEngine Desktop Server Bug Opens Orgs to Malware β
π Read
via "Threat Post".
Zoho's comprehensive endpoint-management platform suffers from an authentication-bypass bug (CVE-2021-44757) that could lead to remote code execution.π Read
via "Threat Post".
Threat Post
Critical ManageEngine Desktop Server Bug Opens Orgs to Malware
Zoho's comprehensive endpoint-management platform suffers from an authentication-bypass bug (CVE-2021-44757) that could lead to remote code execution.
π΄ Name That Toon: Nowhere to Hide π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: Nowhere to Hide
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
βΌ CVE-2021-38695 βΌ
π Read
via "National Vulnerability Database".
SoftVibe SARABAN for INFOMA 1.1 is vulnerable to stored cross-site scripting (XSS) that allows users to store scripts in certain fields (e.g. subject, description) of the document form.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38697 βΌ
π Read
via "National Vulnerability Database".
SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated unrestricted File Upload, that allows attackers to upload files with any file extension which can lead to arbitrary code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0262 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23302 βΌ
π Read
via "National Vulnerability Database".
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0260 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0261 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23307 βΌ
π Read
via "National Vulnerability Database".
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38696 βΌ
π Read
via "National Vulnerability Database".
SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerability, that allows attackers to access signature files on the application without any authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4146 βΌ
π Read
via "National Vulnerability Database".
Business Logic Errors in GitHub repository pimcore/pimcore prior to 10.2.6.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41550 βΌ
π Read
via "National Vulnerability Database".
Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23305 βΌ
π Read
via "National Vulnerability Database".
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44217 βΌ
π Read
via "National Vulnerability Database".
In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41551 βΌ
π Read
via "National Vulnerability Database".
Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading z ZIP file that contains a symbolic link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0263 βΌ
π Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7.π Read
via "National Vulnerability Database".
β βWhite Rabbitβ Ransomware May Be New FIN8 Tool β
π Read
via "Threat Post".
It's a double-extortion play that uses the command-line password βKissMeβ to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art.π Read
via "Threat Post".