βΌ CVE-2022-23223 βΌ
π Read
via "National Vulnerability Database".
The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45802 βΌ
π Read
via "National Vulnerability Database".
MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because the email and phone parameter values are added to the SQL query without any verification at the time of membership registration.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23035 βΌ
π Read
via "National Vulnerability Database".
Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45844 βΌ
π Read
via "National Vulnerability Database".
Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45342 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45847 βΌ
π Read
via "National Vulnerability Database".
Several missing input validations in the 3MF parser component of Slic3r libslic3r 1.3.0 can each allow an attacker to cause an application crash using a crafted 3MF input file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46113 βΌ
π Read
via "National Vulnerability Database".
In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23034 βΌ
π Read
via "National Vulnerability Database".
A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23945 βΌ
π Read
via "National Vulnerability Database".
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45029 βΌ
π Read
via "National Vulnerability Database".
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23944 βΌ
π Read
via "National Vulnerability Database".
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21697 βΌ
π Read
via "National Vulnerability Database".
Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the `allowed_hosts` check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45846 βΌ
π Read
via "National Vulnerability Database".
A flaw in the AMF parser of Slic3r libslic3r 1.3.0 allows an attacker to cause an application crash using a crafted AMF document, where a metadata tag lacks a "type" attribute.π Read
via "National Vulnerability Database".
π΄ Cyber-Physical Security: What It Is and What You Should Do π΄
π Read
via "Dark Reading".
Ancillary installations like the Internet of Things, operational technology, and industrial control systems enable lots of great functionality, and they face most of the same risks as IT infrastructure.π Read
via "Dark Reading".
Dark Reading
Cyber-Physical Security: What It Is and What You Should Do
Ancillary installations like the Internet of Things, operational technology, and industrial control systems enable lots of great functionality, and they face most of the same risks as IT infrastructure.
ποΈ PrinterLogic vendor addresses triple RCE threat against all connected endpoints ποΈ
π Read
via "The Daily Swig".
High severity flaws show centralized management means centralized risk, say researchersπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
PrinterLogic vendor addresses triple RCE threat against all connected endpoints
High severity flaws show centralized management means centralized risk, say researchers
π1
π΄ 4 Steps Toward Knowing Your Exploitable Attack Surface π΄
π Read
via "Dark Reading".
Actionable steps you can take today to identify the true risk your organization faces β learn how to separate the exploitable vulnerabilities from the rest.π Read
via "Dark Reading".
Dark Reading
4 Steps Toward Knowing Your Exploitable Attack Surface
Actionable steps you can take today to identify the true risk your organization faces β learn how to separate the exploitable vulnerabilities from the rest.
β AdSanity, AccessPress Plugins Open Scads of WordPress Sites to Takeover β
π Read
via "Threat Post".
A critical security bug and a months-long, ongoing supply-chain attack spell trouble for WordPress users.π Read
via "Threat Post".
Threat Post
AdSanity, AccessPress Plugins Open Scads of WordPress Sites to Takeover
A critical security bug and a months-long, ongoing supply-chain attack spell trouble for WordPress users.
π΄ As IoT Attacks Increase, Experts Fear More Serious Threats π΄
π Read
via "Dark Reading".
Variants of the Mirai codebase are still a popular way to compromise and subvert Internet of Things devices, but experts fear more serious threats may be ahead.π Read
via "Dark Reading".
Dark Reading
As IoT Attacks Increase, Experts Fear More Serious Threats
Variants of the Mirai codebase are still a popular way to compromise and subvert Internet of Things devices, but experts fear more serious threats may be ahead.
β Alleged carder gang mastermind and three acolytes under arrest in Russia β
π Read
via "Naked Security".
The motto of the gang was "In Fraud We Trust", and they went by a dizzying range of online nicknames.π Read
via "Naked Security".
Naked Security
Alleged carder gang mastermind and three acolytes under arrest in Russia
The motto of the gang was βIn Fraud We Trustβ, and they went by a dizzying range of online nicknames.
βΌ CVE-2021-3850 βΌ
π Read
via "National Vulnerability Database".
Authentication Bypass by Primary Weakness in GitHub repository adodb/adodb prior to 5.20.21.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43863 βΌ
π Read
via "National Vulnerability Database".
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".