βΌ CVE-2022-23302 βΌ
π Read
via "National Vulnerability Database".
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0260 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0261 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23307 βΌ
π Read
via "National Vulnerability Database".
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38696 βΌ
π Read
via "National Vulnerability Database".
SoftVibe SARABAN for INFOMA 1.1 has Incorrect Access Control vulnerability, that allows attackers to access signature files on the application without any authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4146 βΌ
π Read
via "National Vulnerability Database".
Business Logic Errors in GitHub repository pimcore/pimcore prior to 10.2.6.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41550 βΌ
π Read
via "National Vulnerability Database".
Leostream Connection Broker 9.0.40.17 allows administrator to upload and execute Perl code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23305 βΌ
π Read
via "National Vulnerability Database".
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44217 βΌ
π Read
via "National Vulnerability Database".
In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41551 βΌ
π Read
via "National Vulnerability Database".
Leostream Connection Broker 9.0.40.17 allows administrators to conduct directory traversal attacks by uploading z ZIP file that contains a symbolic link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0263 βΌ
π Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type in Packagist pimcore/pimcore prior to 10.2.7.π Read
via "National Vulnerability Database".
β βWhite Rabbitβ Ransomware May Be New FIN8 Tool β
π Read
via "Threat Post".
It's a double-extortion play that uses the command-line password βKissMeβ to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art.π Read
via "Threat Post".
β Serious Security: Apple Safari leaks private data via database API β what you need to know β
π Read
via "Naked Security".
There's a tiny data leakage bug in the WebKit browser engine... but it could act as a "supercookie" identifier for your browsingπ Read
via "Naked Security".
Naked Security
Serious Security: Apple Safari leaks private data via database API β what you need to know
Thereβs a tiny data leakage bug in the WebKit browser engineβ¦ but it could act as a βsupercookieβ identifier for your browsing
β Romance scammer who targeted 670 women gets 28 months in jail β
π Read
via "Naked Security".
Found love online? Sending them money? Friends and family warning you it could be a scam? Don't be too quick to dismiss their concerns...π Read
via "Naked Security".
Naked Security
Romance scammer who targeted 670 women gets 28 months in jail
Found love online? Sending them money? Friends and family warning you it could be a scam? Donβt be too quick to dismiss their concernsβ¦
π΄ US Search for Vulnerabilities Drives 10x Increase in Bug Reports π΄
π Read
via "Dark Reading".
Cross-site scripting and broken access controls continued to be the top classes of vulnerabilities researchers discovered, according to Bugcrowd's annual vulnerability report.π Read
via "Dark Reading".
Dark Reading
US Search for Vulnerabilities Drives 10x Increase in Bug Reports
Cross-site scripting and broken access controls continued to be the top classes of vulnerabilities researchers discovered, according to Bugcrowd's annual vulnerability report.
βΌ CVE-2021-41807 βΌ
π Read
via "National Vulnerability Database".
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0125 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14110 βΌ
π Read
via "National Vulnerability Database".
AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0232 βΌ
π Read
via "National Vulnerability Database".
The User Registration, Login & Landing Pages WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.2.7. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0093 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34406 βΌ
π Read
via "National Vulnerability Database".
NVIDIA Tegra kernel driver contains a vulnerability in NVHost, where a specific race condition can lead to a null pointer dereference, which may lead to a system reboot.π Read
via "National Vulnerability Database".