βΌ CVE-2022-22689 βΌ
π Read
via "National Vulnerability Database".
CA Harvest Software Change Manager versions 13.0.3, 13.0.4, 14.0.0, and 14.0.1, contain a vulnerability in the CSV export functionality, due to insufficient input validation, that can allow a privileged user to potentially execute arbitrary code or commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23614 βΌ
π Read
via "National Vulnerability Database".
Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0218 βΌ
π Read
via "National Vulnerability Database".
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22724 βΌ
π Read
via "National Vulnerability Database".
A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)π Read
via "National Vulnerability Database".
βΌ CVE-2021-44204 βΌ
π Read
via "National Vulnerability Database".
Local privilege escalation via named pipe due to improper access control checks. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27147, Acronis Cyber Protect Home Office (Windows) before build 39612, Acronis True Image 2021 (Windows) before build 39287π Read
via "National Vulnerability Database".
βΌ CVE-2020-12891 βΌ
π Read
via "National Vulnerability Database".
AMD Radeon Software may be vulnerable to DLL Hijacking through path variable. An unprivileged user may be able to drop its malicious DLL file in any location which is in path environment variable.π Read
via "National Vulnerability Database".
π’ Meta says Apple's iOS privacy changes will cost it $10 billion in 2022 π’
π Read
via "ITPro".
The company's CFO suggests Google "faces a different set of restrictions" because it pays Apple to remain the default iOS search engineπ Read
via "ITPro".
IT PRO
Meta says Apple's iOS privacy changes will cost it $10 billion in 2022 | IT PRO
The company's CFO suggests Google "faces a different set of restrictions" because it pays Apple to remain the default iOS search engine
π’ KP Snacks supply chain shut down by Conti ransomware attack π’
π Read
via "ITPro".
Crippled IT systems are unable to process new orders "safely" and could be down until late-Marchπ Read
via "ITPro".
IT PRO
KP Snacks supply chain shut down by Conti ransomware attack | IT PRO
Crippled IT systems are unable to process new orders "safely" and could be down until late-March
π’ Picus Security joins the Microsoft Intelligent Security Association π’
π Read
via "ITPro".
The association integrates Picusβ cyber-resilience platform with Microsoft Defender for Endpoint and Microsoft Sentinelπ Read
via "ITPro".
ITPro
Picus Security joins the Microsoft Intelligent Security Association
The association integrates Picusβ cyber-resilience platform with Microsoft Defender for Endpoint and Microsoft Sentinel
π’ One in seven ransomware extortion attacks leak critical OT data π’
π Read
via "ITPro".
Mandiant discovered data including usernames and passwords, IP addresses, and operator panelsπ Read
via "ITPro".
IT PRO
One in seven ransomware extortion attacks leak critical OT data | IT PRO
Mandiant discovered data including usernames and passwords, IP addresses, and operator panels
π’ Intel expands its bug bounty program with Project Circuit Breaker π’
π Read
via "ITPro".
The initiative aims to address vulnerabilities in Intelβs firmware, GPUs, hypervisors, and chipsetsπ Read
via "ITPro".
IT PRO
Intel expands its bug bounty program with Project Circuit Breaker | IT PRO
The initiative aims to address vulnerabilities in Intelβs firmware, GPUs, hypervisors, and chipsets
π’ Cloudflare opens $3,000 bug bounty program to the public π’
π Read
via "ITPro".
The company's previous program paid out around $212,000 over its lifetimeπ Read
via "ITPro".
IT PRO
Cloudflare opens $3,000 bug bounty program to the public | IT PRO
The company's previous program paid out around $212,000 over its lifetime
π’ CISOs reveal secrets to pandemic success in critical organisations π’
π Read
via "ITPro".
The pandemic presented unique challenges for every business, but organisations tasked with delivering critical services may have worked the hardestπ Read
via "ITPro".
IT PRO
CISOs reveal secrets to pandemic success in critical organisations | IT PRO
The pandemic presented unique challenges for every business, but organisations tasked with delivering critical services may have worked the hardest
βΌ CVE-2022-0501 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstalk_console prior to 1.7.12.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38172 βΌ
π Read
via "National Vulnerability Database".
perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially fixed this in 0.4.0-7.)π Read
via "National Vulnerability Database".
βΌ CVE-2022-0502 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23206 βΌ
π Read
via "National Vulnerability Database".
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.π Read
via "National Vulnerability Database".
ποΈ Suspected data breach at Washington State Department of Licensing ποΈ
π Read
via "The Daily Swig".
Agency pulls POLARIS platform offline as investigation continuesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Suspected data breach at Washington State Department of Licensing
Agency pulls POLARIS platform offline as investigation continues
βΌ CVE-2022-0474 βΌ
π Read
via "National Vulnerability Database".
Full list of recipients from customer users in a contact field could be disclosed in notification emails event when the notification is set to be sent to each recipient individually. This issue affects: OTRS AG OTRSCustomContactFields 8.0.x version: 8.0.11 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0473 βΌ
π Read
via "National Vulnerability Database".
OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23320 βΌ
π Read
via "National Vulnerability Database".
XMPie uStore 12.3.7244.0 allows for administrators to generate reports based on raw SQL queries. Since the application ships with default administrative credentials, an attacker may authenticate into the application and exfiltrate sensitive information from the database.π Read
via "National Vulnerability Database".