‼ CVE-2022-0020 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network Cortex XSOAR web interface enables an authenticated network-based attacker to store a persistent javascript payload that will perform arbitrary actions in the Cortex XSOAR web interface on behalf of authenticated administrators who encounter the payload during normal operations. This issue impacts: All builds of Cortex XSOAR 6.1.0; Cortex XSOAR 6.2.0 builds earlier than build 1958888.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0018 ‼
📖 Read
via "National Vulnerability Database".
An information exposure vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows and MacOS where the credentials of the local user account are sent to the GlobalProtect portal when the Single Sign-On feature is enabled in the GlobalProtect portal configuration. This product behavior is intentional and poses no security risk when connecting to trusted GlobalProtect portals configured to use the same Single Sign-On credentials both for the local user account as well as the GlobalProtect login. However when the credentials are different, the local account credentials are inadvertently sent to the GlobalProtect portal for authentication. A third party MITM type of attacker cannot see these credentials in transit. This vulnerability is a concern where the GlobalProtect app is deployed on Bring-your-Own-Device (BYOD) type of clients with private local user accounts or GlobalProtect app is used to connect to different organizations. Fixed versions of GlobalProtect app have an app setting to prevent the transmission of the user's local user credentials to the target GlobalProtect portal regardless of the portal configuration. This issue impacts: GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.10 on Windows and MacOS; GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.9 on Windows and MacOS This issue does not affect GlobalProtect app on other platforms.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20703 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20712 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37613 ‼
📖 Read
via "National Vulnerability Database".
Stormshield Network Security (SNS) 1.0.0 through 4.2.3 allows a Denial of Service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20738 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the Cisco Umbrella Secure Web Gateway service could allow an unauthenticated, remote attacker to bypass the file inspection feature. This vulnerability is due to insufficient restrictions in the file inspection feature. An attacker could exploit this vulnerability by downloading a crafted payload through specific methods. A successful exploit could allow the attacker to bypass file inspection protections and download a malicious payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20704 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20702 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45357 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Piwigo 12.x via the pwg_activity function in include/functions.inc.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20706 ‼
📖 Read
via "National Vulnerability Database".
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0016 ‼
📖 Read
via "National Vulnerability Database".
An improper handling of exceptional conditions vulnerability exists within the Connect Before Logon feature of the Palo Alto Networks GlobalProtect app that enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect Before Logon under certain circumstances. This issue impacts GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.9 on Windows and MacOS. This issue does not affect the GlobalProtect app on other platforms.📖 Read
via "National Vulnerability Database".
🗓️ Cryptocurrency firm MakerDAO offers record $10m in newly launched bug bounty program 🗓️
📖 Read
via "The Daily Swig".
Chance to become an instant multimillionaire via flaws in DAI smart contracts, websites, and apps📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Cryptocurrency firm MakerDAO offers record $10m in newly launched bug bounty program
Chance to become an instant multimillionaire via flaws in DAI smart contracts, websites, and apps
🕴 Orca Security Adds Expanded CIEM Capabilities and Multi-Cloud Security Score to Cloud Platform 🕴
📖 Read
via "Dark Reading".
Expands cloud infrastructure entitlement management capabilities, adds cloud security benchmarking, and support for Kubernetes compliance frameworks.📖 Read
via "Dark Reading".
Dark Reading
Orca Security Adds Expanded CIEM Capabilities and Multi-Cloud Security Score to Cloud Platform
Expands cloud infrastructure entitlement management capabilities, adds cloud security benchmarking, and support for Kubernetes compliance frameworks.
🕴 Dynatrace Adds Real-Time Attack Detection and Blocking, Advancing Cloud Application Security 🕴
📖 Read
via "Dark Reading".
Application Security Module unifies multicloud observability and advanced AIOps with real-time vulnerability management and defense.📖 Read
via "Dark Reading".
Dark Reading
Dynatrace Adds Real-Time Attack Detection and Blocking, Advancing Cloud Application Security
Application Security Module unifies multicloud observability and advanced AIOps with real-time vulnerability management and defense.
🕴 Dynatrace Launches DevSecOps Automation Alliance Partner Program 🕴
📖 Read
via "Dark Reading".
Program enables alliance and solution partners to extend the capabilities of their DevSecOps offerings through seamless integrations with the Dynatrace platform.📖 Read
via "Dark Reading".
Dark Reading
Dynatrace Launches DevSecOps Automation Alliance Partner Program
Program enables alliance and solution partners to extend the capabilities of their DevSecOps offerings through seamless integrations with the Dynatrace platform.
‼ CVE-2022-23321 ‼
📖 Read
via "National Vulnerability Database".
A persistent cross-site scripting (XSS) vulnerability exists on two input fields within the administrative panel when editing users in the XMPie UStore application on version 12.3.7244.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45364 ‼
📖 Read
via "National Vulnerability Database".
A Code Execution vulnerability exists in Statamic Version through 3.2.26 via SettingsController.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44850 ‼
📖 Read
via "National Vulnerability Database".
On Xilinx Zynq-7000 SoC devices, physical modification of an SD boot image allows for a buffer overflow attack in the ROM. Because the Zynq-7000's boot image header is unencrypted and unauthenticated before use, an attacker can modify the boot header stored on an SD card so that a secure image appears to be unencrypted, and they will be able to modify the full range of register initialization values. Normally, these registers will be restricted when booting securely. Of importance to this attack are two registers that control the SD card's transfer type and transfer size. These registers could be modified a way that causes a buffer overflow in the ROM.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24916 ‼
📖 Read
via "National Vulnerability Database".
Optimism before @eth-optimism/l2geth@0.5.11 allows economic griefing because a balance is duplicated upon contract self-destruction.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24568 ‼
📖 Read
via "National Vulnerability Database".
Novel-plus v3.6.0 was discovered to be vulnerable to Server-Side Request Forgery (SSRF) via user-supplied crafted input.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23630 ‼
📖 Read
via "National Vulnerability Database".
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.📖 Read
via "National Vulnerability Database".
👍1