β No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day β
π Read
via "Threat Post".
This batch had zero critical CVEs, which is unheard of. Most (50) of the patches are labeled Important, so don't delay to apply the patches, security experts said.π Read
via "Threat Post".
Threat Post
No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day
This batch had zero critical CVEs, which is unheard of. Most (50) of the patches are labeled Important, so don't delay to apply the patches, security experts said.
π΄ Get Started on Continuous Compliance Ahead of PCI DSS v4.0 π΄
π Read
via "Dark Reading".
Here's what vendors can do to prepare in the time remaining before the final release of PCI DSS 4.0 this quarter.π Read
via "Dark Reading".
Dark Reading
Get Started on Continuous Compliance Ahead of PCI DSS v4.0
Here's what retailers and anyone collecting payments can do to prepare in the time remaining before the final release of PCI DSS 4.0 this quarter.
π΄ Threat Actors Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks π΄
π Read
via "Dark Reading".
Recent attacks involving so-called "right-to-left override" spoofing aimed at Microsoft 365 users show how attackers sometimes modify and improve old methods to try and stay one step ahead of defenders.π Read
via "Dark Reading".
Dark Reading
Threat Actors Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks
Recent attacks involving so-called "right-to-left override" spoofing aimed at Microsoft 365 users show how attackers sometimes modify and improve old methods to try and stay one step ahead of defenders.
βΌ CVE-2022-21702 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0139 βΌ
π Read
via "National Vulnerability Database".
Use After Free in GitHub repository radareorg/radare2 prior to 5.6.0.π Read
via "National Vulnerability Database".
π΄ Google Cuts User Account Compromises in Half With Simple Change π΄
π Read
via "Dark Reading".
The online tech giant auto-enabled two-step verification for more than 150 million users, throwing up steep hurdles against scammers and attackers.π Read
via "Dark Reading".
Dark Reading
Google Cuts User Account Compromises in Half With Simple Change
The online tech giant auto-enabled two-step verification for more than 150 million users, throwing up steep hurdles against scammers and attackers.
π1
βΌ CVE-2022-0522 βΌ
π Read
via "National Vulnerability Database".
Access of Memory Location Before Start of Buffer in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21703 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0524 βΌ
π Read
via "National Vulnerability Database".
Business Logic Errors in Rubygems typo prior to 9.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23626 βΌ
π Read
via "National Vulnerability Database".
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0521 βΌ
π Read
via "National Vulnerability Database".
Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0518 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21713 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0519 βΌ
π Read
via "National Vulnerability Database".
Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0523 βΌ
π Read
via "National Vulnerability Database".
Expired Pointer Dereference in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0520 βΌ
π Read
via "National Vulnerability Database".
Use After Free in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
π΄ Microsoft Issues 51 CVEs for Patch Tuesday, None 'Critical' π΄
π Read
via "Dark Reading".
One publicly known flaw β an elevation-of-privilege bug in Windows Kernel β was included in the patches.π Read
via "Dark Reading".
Dark Reading
Microsoft Issues 51 CVEs for Patch Tuesday, None 'Critical'
One publicly known flaw β an elevation-of-privilege bug in Windows Kernel β was included in the patches.
βοΈ Microsoft Patch Tuesday, February 2022 Edition βοΈ
π Read
via "Krebs on Security".
Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month's relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.π Read
via "Krebs on Security".
Krebsonsecurity
Microsoft Patch Tuesday, February 2022 Edition
Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month's relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But itβ¦
βΌ CVE-2022-24676 βΌ
π Read
via "National Vulnerability Database".
update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45329 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23627 βΌ
π Read
via "National Vulnerability Database".
ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code, introduced in version V5.2.2.2, the program didn't adequately verify effective access of the user sending proxy (i.e. `[Bots]`) commands. In particular, a proxy-like command sent to bot `A` targeting bot `B` has incorrectly verified user's access against bot `A` - instead of bot `B`, to which the command was originally designated. This in result allowed access to resources beyond those configured, being a security threat affecting confidentiality of other bot instances. A successful attack exploiting this bug requires a significant access granted explicitly by original owner of the ASF process prior to that, as attacker has to control at least a single bot in the process to make use of this inadequate access verification loophole. The issue is patched in ASF V5.2.2.5, V5.2.3.2 and future versions. Users are advised to update as soon as possible.π Read
via "National Vulnerability Database".