βΌ CVE-2022-25094 βΌ
π Read
via "National Vulnerability Database".
Home Owners Collection Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the parameter "cover" in SystemSettings.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25095 βΌ
π Read
via "National Vulnerability Database".
Home Owners Collection Management System v1.0 allows unauthenticated attackers to compromise user accounts via a crafted POST request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25096 βΌ
π Read
via "National Vulnerability Database".
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21706 βΌ
π Read
via "National Vulnerability Database".
Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack where an invitation created in one organization (potentially as a role with elevated permissions) can be used to join any other organization. This bypasses any restrictions on required domains on users' email addresses, may be used to gain access to organizations which are only accessible by invitation, and may be used to gain access with elevated privileges. This issue has been patched in release 4.10. There are no known workarounds for this issue. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_ ### For more information If you have any questions or comments about this advisory, you can discuss them on the [developer community Zulip server](https://zulip.com/developer-community/), or email the [Zulip security team](mailto:security@zulip.com).π Read
via "National Vulnerability Database".
π2
βΌ CVE-2022-0762 βΌ
π Read
via "National Vulnerability Database".
Business Logic Errors in GitHub repository microweber/microweber prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0763 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0764 βΌ
π Read
via "National Vulnerability Database".
Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27958 βΌ
π Read
via "National Vulnerability Database".
The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26146 βΌ
π Read
via "National Vulnerability Database".
Tricentis qTest before 10.4 allows stored XSS by an authenticated attacker.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26149 βΌ
π Read
via "National Vulnerability Database".
MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22908 βΌ
π Read
via "National Vulnerability Database".
SangforCSClient.exe in Sangfor VDI Client 5.4.2.1006 allows attackers, when they are able to read process memory, to discover the contents of the Username and Password fields.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21708 βΌ
π Read
via "National Vulnerability Database".
In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43945 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26159 βΌ
π Read
via "National Vulnerability Database".
The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/<domain>/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.π Read
via "National Vulnerability Database".
ποΈ Bridgestone Americas βdisconnectsβ manufacturing facilities following βsecurity incidentβ ποΈ
π Read
via "The Daily Swig".
Worldβs biggest tire manufacturer yet to determine βscope or nature of any potential incidentβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Bridgestone Americas βdisconnectsβ manufacturing facilities following βsecurity incidentβ
Worldβs biggest tire manufacturer yet to determine βscope or nature of any potential incidentβ
π΄ How to Boost Shift-Left Security in the SDLC π΄
π Read
via "Dark Reading".
Organizations will see big wins from applying security controls early in the development life cycle.π Read
via "Dark Reading".
Dark Reading
How to Boost Shift-Left Security in the SDLC
Organizations will see big wins from applying security controls early in the development life cycle.
βΌ CVE-2022-24685 βΌ
π Read
via "National Vulnerability Database".
HashiCorp Nomad and Nomad Enterprise 1.x before 1.0.17, 1.1.x before 1.1.12, and 1.2.x before 1.2.6 has Uncontrolled Resource Consumption.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24572 βΌ
π Read
via "National Vulnerability Database".
Car Driving School Management System v1.0 is affected by Cross Site Scripting (XSS) in the User Enrollment Form (Username Field). To exploit this Vulnerability, an admin views the registered user details.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24571 βΌ
π Read
via "National Vulnerability Database".
Car Driving School Management System v1.0 is affected by SQL injection in the login page. An attacker can use simple SQL login injection payload to get admin access.π Read
via "National Vulnerability Database".
π΄ Companies Borrow Attack Technique to Watermark Machine Learning Models π΄
π Read
via "Dark Reading".
Researchers continue to improve on a technique for embedded crafted outputs into machine-learning models, an anti-copying technique originally thought up by adversarial researchers.π Read
via "Dark Reading".
Dark Reading
Companies Borrow Attack Technique to Watermark Machine Learning Models
Researchers continue to improve on a technique for embedded crafted outputs into machine-learning models, an anti-copying technique originally thought up by adversarial researchers.
βΌ CVE-2022-25642 βΌ
π Read
via "National Vulnerability Database".
Obyte (formerly Byteball) Wallet before 3.4.1 allows XSS. A crafted chat message can lead to remote code execution.π Read
via "National Vulnerability Database".