‼ CVE-2022-0597 ‼
📖 Read
via "National Vulnerability Database".
Open Redirect in Packagist microweber/microweber prior to 1.2.11.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24586 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41552 ‼
📖 Read
via "National Vulnerability Database".
CommScope URFboard SBG6950AC2 9.1.103AA23 devices allow Command Injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43734 ‼
📖 Read
via "National Vulnerability Database".
kkFileview v4.0.0 has arbitrary file read through a directory traversal vulnerability which may lead to sensitive file leak on related host.📖 Read
via "National Vulnerability Database".
🗓️ New tool can uncover redacted, pixelated text to reveal sensitive data 🗓️
📖 Read
via "The Daily Swig".
Developer warns that redaction method is insecure📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
New tool can uncover redacted, pixelated text to reveal sensitive data
Developer warns that redaction method is insecure
⚠ Google announces zero-day in Chrome browser – update now! ⚠
📖 Read
via "Naked Security".
Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
‼ CVE-2022-24587 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24684 ‼
📖 Read
via "National Vulnerability Database".
HashiCorp Nomad and Nomad Enterprise before 1.0.17, 1.1.x before 1.1.12, and 1.2.x before 1.2.6 has Uncontrolled Resource Consumption.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44960 ‼
📖 Read
via "National Vulnerability Database".
In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the renderDocument function handled the XMLDocument object improperly, returning a null pointer in advance at the second if, resulting in a null pointer reference behind the renderDocument function.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24585 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24227 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in BoltWire v7.10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24226 ‼
📖 Read
via "National Vulnerability Database".
Hospital Management System v4.0 was discovered to contain a blind SQL injection vulnerability via the register function in func2.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24590 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24588 ‼
📖 Read
via "National Vulnerability Database".
Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-21698 ‼
📖 Read
via "National Vulnerability Database".
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23604 ‼
📖 Read
via "National Vulnerability Database".
x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround.📖 Read
via "National Vulnerability Database".
🕴 3 Critical Software Development Security Trends and Best Practices 🕴
📖 Read
via "Dark Reading".
Organizations should focus on proactive, development-based approaches to security.📖 Read
via "Dark Reading".
Dark Reading
3 Critical Software Development Security Trends and Best Practices
Organizations should focus on proactive, development-based approaches to security.
❌ Chrome Zero-Day Under Active Attack: Patch ASAP ❌
📖 Read
via "Threat Post".
The year's 1st Chrome zero-day can lead to all sorts of misery, ranging from data corruption to the execution of arbitrary code on vulnerable systems.📖 Read
via "Threat Post".
Threat Post
Chrome Zero-Day Under Active Attack: Patch ASAP
The year's 1st Chrome zero-day can lead to all sorts of misery, ranging from data corruption to the execution of arbitrary code on vulnerable systems.
🕴 The Unsettling Reason Why Your Help Desk May Be Your Greatest Security Vulnerability 🕴
📖 Read
via "Dark Reading".
A rogue help-desk employee could gain access to user accounts through unauthorized password resets. It's time to bring zero trust to the help desk.📖 Read
via "Dark Reading".
Dark Reading
The Unsettling Reason Why Your Help Desk May Be Your Greatest Security Vulnerability
A rogue help-desk employee could gain access to user accounts through unauthorized password resets. It's time to bring zero trust to the help desk.
‼ CVE-2022-25200 ‼
📖 Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx Plugin 2022.1.2 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25195 ‼
📖 Read
via "National Vulnerability Database".
A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.📖 Read
via "National Vulnerability Database".