βΌ CVE-2022-21703 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0524 βΌ
π Read
via "National Vulnerability Database".
Business Logic Errors in Rubygems typo prior to 9.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23626 βΌ
π Read
via "National Vulnerability Database".
m1k1o/blog is a lightweight self-hosted facebook-styled PHP blog. Errors from functions `imagecreatefrom*` and `image*` have not been checked properly. Although PHP issued warnings and the upload function returned `false`, the original file (that could contain a malicious payload) was kept on the disk. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0521 βΌ
π Read
via "National Vulnerability Database".
Access of Memory Location After End of Buffer in GitHub repository radareorg/radare2 prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0518 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21713 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0519 βΌ
π Read
via "National Vulnerability Database".
Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0523 βΌ
π Read
via "National Vulnerability Database".
Expired Pointer Dereference in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0520 βΌ
π Read
via "National Vulnerability Database".
Use After Free in NPM radare2.js prior to 5.6.2.π Read
via "National Vulnerability Database".
π΄ Microsoft Issues 51 CVEs for Patch Tuesday, None 'Critical' π΄
π Read
via "Dark Reading".
One publicly known flaw β an elevation-of-privilege bug in Windows Kernel β was included in the patches.π Read
via "Dark Reading".
Dark Reading
Microsoft Issues 51 CVEs for Patch Tuesday, None 'Critical'
One publicly known flaw β an elevation-of-privilege bug in Windows Kernel β was included in the patches.
βοΈ Microsoft Patch Tuesday, February 2022 Edition βοΈ
π Read
via "Krebs on Security".
Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month's relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.π Read
via "Krebs on Security".
Krebsonsecurity
Microsoft Patch Tuesday, February 2022 Edition
Microsoft today released software updates to plug security holes in its Windows operating systems and related software. This month's relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But itβ¦
βΌ CVE-2022-24676 βΌ
π Read
via "National Vulnerability Database".
update_code in Admin.php in HYBBS2 through 2.3.2 allows arbitrary file upload via a crafted ZIP archive.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45329 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Gitea before 1.5.1 via the repository settings inside the external wiki/issue tracker URL field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23627 βΌ
π Read
via "National Vulnerability Database".
ArchiSteamFarm (ASF) is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code, introduced in version V5.2.2.2, the program didn't adequately verify effective access of the user sending proxy (i.e. `[Bots]`) commands. In particular, a proxy-like command sent to bot `A` targeting bot `B` has incorrectly verified user's access against bot `A` - instead of bot `B`, to which the command was originally designated. This in result allowed access to resources beyond those configured, being a security threat affecting confidentiality of other bot instances. A successful attack exploiting this bug requires a significant access granted explicitly by original owner of the ASF process prior to that, as attacker has to control at least a single bot in the process to make use of this inadequate access verification loophole. The issue is patched in ASF V5.2.2.5, V5.2.3.2 and future versions. Users are advised to update as soon as possible.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45919 βΌ
π Read
via "National Vulnerability Database".
Studio 42 elFinder through 2.1.31 allows XSS via an SVG document.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24677 βΌ
π Read
via "National Vulnerability Database".
Admin.php in HYBBS2 through 2.3.2 allows remote code execution because it writes plugin-related configuration information to conf.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0527 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in Maven org.webjars.npm:github-com-chatwoot-chatwoot prior to 2.2.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0526 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in Maven org.webjars.npm:github-com-chatwoot-chatwoot prior to 2.2.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0525 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Read in Homebrew mruby prior to 3.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24694 βΌ
π Read
via "National Vulnerability Database".
In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen by a person not owning the folders. (Only folder names are affected. Neither file names nor file contents are affected.)π Read
via "National Vulnerability Database".
βΌ CVE-2022-24682 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document.π Read
via "National Vulnerability Database".