βΌ CVE-2022-0243 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository orchardcms/orchardcore prior to 1.2.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22769 βΌ
π Read
via "National Vulnerability Database".
The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EBX, TIBCO EBX Add-ons, TIBCO EBX Add-ons, TIBCO EBX Add-ons, and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.8.124 and below, TIBCO EBX: versions 5.9.3, 5.9.4, 5.9.5, 5.9.6, 5.9.7, 5.9.8, 5.9.9, 5.9.10, 5.9.11, 5.9.12, 5.9.13, 5.9.14, and 5.9.15, TIBCO EBX: versions 6.0.0, 6.0.1, 6.0.2, and 6.0.3, TIBCO EBX Add-ons: versions 3.20.18 and below, TIBCO EBX Add-ons: versions 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, and 4.5.6, TIBCO EBX Add-ons: versions 5.0.0, 5.0.1, 5.1.0, 5.1.1, and 5.2.0, and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 1.1.0 and below.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38789 βΌ
π Read
via "National Vulnerability Database".
Allwinner R818 SoC Android Q SDK V1.0 is affected by an incorrect access control vulnerability that does not check the caller's permission, in which a third-party app could change system settings.π Read
via "National Vulnerability Database".
π΄ FireEye & McAfee Enterprise Renamed as Trellix π΄
π Read
via "Dark Reading".
Symphony Technology Group announces a name for the newly merged company, which aims to become a leader in extended detection and response (XDR).π Read
via "Dark Reading".
Dark Reading
FireEye & McAfee Enterprise Renamed as Trellix
Symphony Technology Group announces a name for the newly merged company, which aims to become a leader in extended detection and response (XDR).
βΌ CVE-2021-26247 βΌ
π Read
via "National Vulnerability Database".
As an unauthenticated remote user, visit "http://<CACTI_SERVER>/auth_changepassword.php?ref=<script>alert(1)</script>" to successfully execute the JavaScript payload present in the "ref" URL parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44777 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerabilities leading to single or bulk e-mail entries deletion discovered in Email Tracker WordPress plugin (versions <= 5.2.6).π Read
via "National Vulnerability Database".
βΌ CVE-2021-23225 βΌ
π Read
via "National Vulnerability Database".
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21699 βΌ
π Read
via "National Vulnerability Database".
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23842 βΌ
π Read
via "National Vulnerability Database".
Communication to the AMC2 uses a state-of-the-art cryptographic algorithm for symmetric encryption called Blowfish. An attacker could retrieve the key from the firmware to decrypt network traffic between the AMC2 and the host system. Thus, an attacker can exploit this vulnerability to decrypt and modify network traffic, decrypt and further investigate the device\'s firmware file, and change the device configuration. The attacker needs to have access to the local network, typically even the same subnet.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3816 βΌ
π Read
via "National Vulnerability Database".
Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.php.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23843 βΌ
π Read
via "National Vulnerability Database".
The Bosch software tools AccessIPConfig.exe and AmcIpConfig.exe are used to configure certains settings in AMC2 devices. The tool allows putting a password protection on configured devices to restrict access to the configuration of an AMC2. An attacker can circumvent this protection and make unauthorized changes to configuration data on the device. An attacker can exploit this vulnerability to manipulate the device\'s configuration or make it unresponsive in the local network. The attacker needs to have access to the local network, typically even the same subnet.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23046 βΌ
π Read
via "National Vulnerability Database".
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.phpπ Read
via "National Vulnerability Database".
βΌ CVE-2022-23045 βΌ
π Read
via "National Vulnerability Database".
PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21701 βΌ
π Read
via "National Vulnerability Database".
Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21679 βΌ
π Read
via "National Vulnerability Database".
Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43269 βΌ
π Read
via "National Vulnerability Database".
In Code42 app before 8.8.0, eval injection allows an attacker to change a deviceΓ’β¬β’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.)π Read
via "National Vulnerability Database".
βΌ CVE-2022-0277 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in Packagist microweber/microweber prior to 1.2.11.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0278 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.π Read
via "National Vulnerability Database".
ποΈ Eleven prolific BEC scam suspects arrested in Nigeria ποΈ
π Read
via "The Daily Swig".
SilverTerrier brought to heelπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Eleven prolific BEC scam suspects arrested in Nigeria
SilverTerrier brought to heel
βΌ CVE-2022-0281 βΌ
π Read
via "National Vulnerability Database".
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34600 βΌ
π Read
via "National Vulnerability Database".
Telenot CompasX versions prior to 32.0 use a weak seed for random number generation leading to predictable AES keys used in the NFC tags used for authorization of users.π Read
via "National Vulnerability Database".