β βLong Live Log4Shellβ: CVE-2021-44228 Not Dead Yet β
π Read
via "Threat Post".
The ubiquitous Log4j bug will be with us for years. John Hammond, senior security researcher at Huntress, discusses what's next.π Read
via "Threat Post".
Threat Post
βLong Live Log4Shellβ: CVE-2021-44228 Not Dead Yet
The ubiquitous Log4j bug will be with us for years. John Hammond, senior security researcher at Huntress, discusses what's next.
βΌ CVE-2021-43635 βΌ
π Read
via "National Vulnerability Database".
A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24260 βΌ
π Read
via "National Vulnerability Database".
A SQL injection vulnerability in Voipmonitor GUI before v24.96 allows attackers to escalate privileges to the Administrator level.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24259 βΌ
π Read
via "National Vulnerability Database".
An incorrect check in the component cdr.php of Voipmonitor GUI before v24.96 allows unauthenticated attackers to escalate privileges via a crafted request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24262 βΌ
π Read
via "National Vulnerability Database".
The config restore function of Voipmonitor GUI before v24.96 does not properly check files sent as restore archives, allowing remote attackers to execute arbitrary commands via a crafted file in the web root.π Read
via "National Vulnerability Database".
π Friday Five 2/4 π
π Read
via "".
Hacking North Korea, inside the Trickbot ransomware group, and more - catch up on the infosec news of the week with the Friday Five!π Read
via "".
Digital Guardian
Friday Five 2/4
Hacking North Korea, inside the Trickbot ransomware group, and more - catch up on the infosec news of the week with the Friday Five!
π΄ Expert Insights: Training the Data Elephant in the AI Room π΄
π Read
via "Dark Reading".
Be aware of the risk of inadvertent data exposure in machine learning systems.π Read
via "Dark Reading".
Dark Reading
Expert Insights: Training the Data Elephant in the AI Room
Be aware of the risk of inadvertent data exposure in machine learning systems.
βΌ CVE-2021-29394 βΌ
π Read
via "National Vulnerability Database".
Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in the user-controlled "userID" parameter of the HTTP POST request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24249 βΌ
π Read
via "National Vulnerability Database".
A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the xtra_box_write function in /box_code_base.c, which causes a Denial of Service. This vulnerability was fixed in commit 71f9871.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29397 βΌ
π Read
via "National Vulnerability Database".
Cleartext Transmission of Sensitive Information in /northstar/Admin/login.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote local user to intercept users credentials transmitted in cleartext over HTTP.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23470 βΌ
π Read
via "National Vulnerability Database".
This affects the package putil-merge before 3.8.0. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property. Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077π Read
via "National Vulnerability Database".
βΌ CVE-2021-29395 βΌ
π Read
via "National Vulnerability Database".
Directory travesal in /northstar/filemanager/download.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to download arbitrary files, including JSP source code, across the filesystem of the host of the web application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24129 βΌ
π Read
via "National Vulnerability Database".
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23507 βΌ
π Read
via "National Vulnerability Database".
The package object-path-set before 1.0.2 are vulnerable to Prototype Pollution via the setPath method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-OBJECTPATHSET-607908π Read
via "National Vulnerability Database".
βΌ CVE-2021-29398 βΌ
π Read
via "National Vulnerability Database".
Directory traversal in /northstar/Common/NorthFileManager/fileManagerObjects.jsp Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to browse and list the directories across the entire filesystem of the host of the web application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45408 βΌ
π Read
via "National Vulnerability Database".
Open Redirect vulnerability exists in SeedDMS 6.0.15 in out.Login.php, which llows remote malicious users to redirect users to malicious sites using the "referuri" parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29393 βΌ
π Read
via "National Vulnerability Database".
Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to inject and execute arbitrary system commands via the unsanitized user-controlled "command" and "commandvalues" parameters.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23497 βΌ
π Read
via "National Vulnerability Database".
This affects the package @strikeentco/set before 1.0.2. It allows an attacker to cause a denial of service and may lead to remote code execution. **Note:** This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-STRIKEENTCOSET-1038821π Read
via "National Vulnerability Database".
βΌ CVE-2021-45429 βΌ
π Read
via "National Vulnerability Database".
A Buffer Overflow vulnerablity exists in VirusTotal YARA git commit: 605b2edf07ed8eb9a2c61ba22eb2e7c362f47ba7 via yr_set_configuration in yara/libyara/libyara.c, which could cause a Denial of Service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24448 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should occur, but the server instead returns uninitialized data in the file descriptor.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29396 βΌ
π Read
via "National Vulnerability Database".
Systemic Insecure Permissions in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to use various functionalities without authentication.π Read
via "National Vulnerability Database".