βΌ CVE-2022-23643 βΌ
π Read
via "National Vulnerability Database".
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects only the Code Monitoring feature, whereas CVE-2021-43823 also affected saved searches. A successful attack would require an authenticated bad actor to create many Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in versions 3.35.2 and 3.36.3 of Sourcegraph. Those who are unable to upgrade may disable the Code Monitor feature in their installation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23641 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source discussion platform. In versions prior to 2.8.1 in the `stable` branch, 2.9.0.beta2 in the `beta` branch, and 2.9.0.beta2 in the `tests-passed` branch, users can trigger a Denial of Service attack by posting a streaming URL. Parsing Oneboxes in the background job trigger an infinite loop, which cause memory leaks. This issue is patched in version 2.8.1 of the `stable` branch, 2.9.0.beta2 of the `beta` branch, and 2.9.0.beta2 of the `tests-passed` branch. As a workaround, disable onebox in admin panel completely or specify allow list of domains that will be oneboxed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35380 βΌ
π Read
via "National Vulnerability Database".
A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download (http://url:port/file?valore).π Read
via "National Vulnerability Database".
βΌ CVE-2021-46251 βΌ
π Read
via "National Vulnerability Database".
A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46250 βΌ
π Read
via "National Vulnerability Database".
An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46252 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0611 βΌ
π Read
via "National Vulnerability Database".
Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3.11.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46249 βΌ
π Read
via "National Vulnerability Database".
An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps.π Read
via "National Vulnerability Database".
β Google announces zero-day in Chrome browser β update now! β
π Read
via "Naked Security".
Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2022-25242 βΌ
π Read
via "National Vulnerability Database".
In FileCloud before 21.3, file upload is not protected against Cross-Site Request Forgery (CSRF).π Read
via "National Vulnerability Database".
βΌ CVE-2022-25236 βΌ
π Read
via "National Vulnerability Database".
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25241 βΌ
π Read
via "National Vulnerability Database".
In FileCloud before 21.3, the CSV user import functionality is vulnerable to Cross-Site Request Forgery (CSRF).π Read
via "National Vulnerability Database".
βΌ CVE-2022-25235 βΌ
π Read
via "National Vulnerability Database".
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.π Read
via "National Vulnerability Database".
π΄ Infineonβs Latest Chip Tackles Post-Quantum Security π΄
π Read
via "Dark Reading".
Infineonβs latest Trusted Platform Module has a mechanism to still update device firmware after quantum computing breaks existing algorithms.π Read
via "Dark Reading".
Dark Reading
Infineonβs Latest Chip Tackles Post-Quantum Security
Infineonβs latest Trusted Platform Module has a mechanism to still update device firmware after quantum computing breaks existing algorithms.
βΌ CVE-2022-23358 βΌ
π Read
via "National Vulnerability Database".
EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In the background, search terms provided by the user were not sanitized and were used directly to construct a SQL statement.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46388 βΌ
π Read
via "National Vulnerability Database".
WAGO 750-8212 PFC200 G2 2ETH RS Firmware version 03.05.10(17) is affected by a privilege escalation vulnerability. Improper handling of user cookies leads to escalating privileges to administrative account of the router.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0559 βΌ
π Read
via "National Vulnerability Database".
Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2.π Read
via "National Vulnerability Database".
β Emotet Now Spreading Through Malicious Excel Files β
π Read
via "Threat Post".
An ongoing malicious email campaign that includes macro-laden files and multiple layers of obfuscation has been active since late December.π Read
via "Threat Post".
Threat Post
Emotet Now Spreading Through Malicious Excel Files
An ongoing malicious email campaign that includes macro-laden files and multiple layers of obfuscation has been active since late December.
ποΈ Poisoned pipelines: Security researcher explores attack methods in CI environments ποΈ
π Read
via "The Daily Swig".
Attack vector abuses permissions to force CI pipelines to execute arbitrary commandsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Poisoned pipelines: Security researcher explores attack methods in CI environments
Attack vector abuses permissions to force CI pipelines to execute arbitrary commands
π΄ Be Flexible About Where People Work β But Not on Data Privacy π΄
π Read
via "Dark Reading".
If your policies don't keep up with your work models, your company's sensitive information could be at risk.π Read
via "Dark Reading".
Dark Reading
Be Flexible About Where People Work β But Not on Data Privacy
If your policies don't keep up with your work models, your company's sensitive information could be at risk.
π΄ Hybrid Work Accelerated Fraud; Now, CSOs Are Taking a Seat at the Executive Table π΄
π Read
via "Dark Reading".
The days of security as a second-class citizen are over.π Read
via "Dark Reading".
Dark Reading
Hybrid Work Accelerated Fraud; Now CSOs Join Executives
The days of security as a second-class citizen are over.