βΌ CVE-2022-23618 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirections. This problem has been patched in XWiki 12.10.7 and XWiki 13.3RC1. Users are advised to update. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23615 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23622 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for anyone. 2. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. A way to obtain the second condition is when administrators checked the "Prevent unregistered users from viewing pages, regardless of the page rights" box in the administration rights. This issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. There are two main ways for protecting against this vulnerability, the easiest and the best one is by applying a patch in the `registerinline.vm` template, the patch consists in checking the value of the xredirect field to ensure it matches: `<input type="hidden" name="xredirect" value="$escapetool.xml($!request.xredirect)" />`. If for some reason it's not possible to patch this file, another workaround is to ensure "Prevent unregistered users from viewing pages, regardless of the page rights" is not checked in the rights and apply a better right scheme using groups and rights on spaces.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23620 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23619 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
π΄ Experts: Several CVEs From Microsoft's February Security Update Require Prompt Attention π΄
π Read
via "Dark Reading".
Microsoft's release of relatively sparse vulnerability information makes it difficult for organizations to prioritize mitigation efforts, security experts say.π Read
via "Dark Reading".
Dark Reading
Experts: Several CVEs From Microsoft's February Security Update Require Prompt Attention
Microsoft's release of relatively sparse vulnerability information makes it difficult for organizations to prioritize mitigation efforts, security experts say.
π΄ Putting AI to Practical Use in Cybersecurity π΄
π Read
via "Dark Reading".
Almost every cybersecurity product has an AI component. Here is where it's working in the real world.π Read
via "Dark Reading".
Dark Reading
Putting AI to Practical Use in Cybersecurity
Almost every cybersecurity product has an AI component. Here is where it's working in the real world.
β Self-styled βCrocodile of Wall Streetβ arrested with husband over Bitcoin megaheist β
π Read
via "Naked Security".
The cops say they've recovered 80% of a $72 million cryptocoin heist... but the recovered funds alone are now worth over $4 billion!π Read
via "Naked Security".
Naked Security
Self-styled βCrocodile of Wall Streetβ arrested with husband over Bitcoin megaheist
The cops say theyβve recovered 80% of a $72 million cryptocoin heistβ¦ but the recovered funds alone are now worth over $4 billion!
βΌ CVE-2021-33115 βΌ
π Read
via "National Vulnerability Database".
Improper input validation for some Intel(R) PROSet/Wireless WiFi in UEFI may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0161 βΌ
π Read
via "National Vulnerability Database".
Improper input validation in firmware for Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and Killer(TM) Wi-Fi in Windows 10 and 11 may allow a privileged user to potentially enable escalation of privilege via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33137 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds write in the Intel(R) Kernelflinger project may allow an authenticated user to potentially enable escalation of privilege via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33166 βΌ
π Read
via "National Vulnerability Database".
Incorrect default permissions for the Intel(R) RXT for Chromebook application, all versions, may allow an authenticated user to potentially enable information disclosure via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33096 βΌ
π Read
via "National Vulnerability Database".
Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20027 βΌ
π Read
via "National Vulnerability Database".
In Bluetooth, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06126826; Issue ID: ALPS06126826.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0173 βΌ
π Read
via "National Vulnerability Database".
Improper Validation of Consistency within input in firmware for some Intel(R) PROSet/Wireless Wi-Fi in multiple operating systems and some Killer(TM) Wi-Fi in Windows 10 and 11 may allow a unauthenticated user to potentially enable denial of service via adjacent access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0092 βΌ
π Read
via "National Vulnerability Database".
Improper access control in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable a denial of service via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33147 βΌ
π Read
via "National Vulnerability Database".
Improper conditions check in the Intel(R) IPP Crypto library before version 2021.2 may allow an authenticated user to potentially enable information disclosure via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33113 βΌ
π Read
via "National Vulnerability Database".
Improper input validation for some Intel(R) PROSet/Wireless WiFi in multiple operating systems and Killer(TM) WiFi in Windows 10 and 11 may allow an unauthenticated user to potentially enable denial of service or information disclosure via adjacent access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0103 βΌ
π Read
via "National Vulnerability Database".
Insufficient control flow management in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22954 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21133 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds read in the Intel(R) Trace Analyzer and Collector before version 2021.5 may allow an authenticated user to potentially enable denial of service via local access.π Read
via "National Vulnerability Database".