βΌ CVE-2022-23708 βΌ
π Read
via "National Vulnerability Database".
A flaw was discovered in Elasticsearch 7.17.0Γ’β¬β’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with Γ’β¬Ε*Γ’β¬οΏ½ index permissions access to this index.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2021-4002 βΌ
π Read
via "National Vulnerability Database".
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.π Read
via "National Vulnerability Database".
ποΈ Equifax data breach: Consumers unlikely to benefit financially from final settlement ποΈ
π Read
via "The Daily Swig".
Potential claimants would face an βuphill battle in order to establish standingβ, says US privacy law expertπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Equifax data breach: Consumers unlikely to benefit financially from final settlement
Potential claimants would face an βuphill battle in order to establish standingβ, says US privacy law expert
βΌ CVE-2022-23327 βΌ
π Read
via "National Vulnerability Database".
A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).π Read
via "National Vulnerability Database".
βΌ CVE-2022-0752 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository hestiacp/hestiacp prior to 1.5.9.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23328 βΌ
π Read
via "National Vulnerability Database".
A design flaw in all versions of Go-Ethereum allows an attacker node to send 5120 pending transactions of a high gas price from one account that all fully spend the full balance of the account to a victim Geth node, which can purge all of pending transactions in a victim node's memory pool and then occupy the memory pool to prevent new transactions from entering the pool, resulting in a denial of service (DoS).π Read
via "National Vulnerability Database".
ποΈ RCE vulnerability in Dynamicweb enterprise software could allow server compromise ποΈ
π Read
via "The Daily Swig".
βExtremely easy to exploitβ bug introduced to codebase in 2018, say researchersπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
RCE vulnerability in Dynamicweb enterprise software could allow server compromise
βExtremely easy to exploitβ bug introduced to codebase in 2018, say researchers
π΄ DORA's Global Reach and Why Enterprises Need to Prepare π΄
π Read
via "Dark Reading".
The new EU regulation is a response to the rise of ransomware attacks and other new cyberthreats that have proliferated in the wake of the global pandemic.π Read
via "Dark Reading".
Dark Reading
DORA's Global Reach and Why Enterprises Need to Prepare
The new EU regulation is a response to the rise of ransomware attacks and other new cyberthreats that have proliferated in the wake of the global pandemic.
βΌ CVE-2021-46393 βΌ
π Read
via "National Vulnerability Database".
There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v10 variable is directly retrieved from the http request parameter startIp. Then v10 will be splice to stack by function sscanf without any security check,which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46394 βΌ
π Read
via "National Vulnerability Database".
There is a stack buffer overflow vulnerability in the formSetPPTPServer function of Tenda-AX3 router V16.03.12.10_CN. The v13 variable is directly retrieved from the http request parameter startIp. Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. By POSTing the page /goform/SetPptpServerCfg with proper startIp, the attacker can easily perform remote code execution with carefully crafted overflow data.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43392 βΌ
π Read
via "National Vulnerability Database".
STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to obtain information on cryptographic secrets. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26201 βΌ
π Read
via "National Vulnerability Database".
Victor CMS v1.0 was discovered to contain a SQL injection vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44321 βΌ
π Read
via "National Vulnerability Database".
Mini-Inventory-and-Sales-Management-System is affected by Cross Site Request Forgery (CSRF), where an attacker can update/delete items in the inventory. The attacker must be logged into the application create a malicious file for updating the inventory details and items.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0831 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43393 βΌ
π Read
via "National Vulnerability Database".
STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to abuse signature verification. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0832 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.3.3.π Read
via "National Vulnerability Database".
ποΈ Japanese beauty retailer Acro blames third-party hack for breach of 100k payment cards ποΈ
π Read
via "The Daily Swig".
Company traces compromise to vulnerability in payment processorβs systemsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Japanese beauty retailer Acro blames third-party hack for breach of 100k payment cards
Company traces compromise to vulnerability in payment processorβs systems
β S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript] β
π Read
via "Naked Security".
Latest episode - listen now (or read it, if that's your preference)...π Read
via "Naked Security".
Naked Security
S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]
Latest episode β listen now (or read it, if thatβs your preference)β¦
β Free HermeticRansom Ransomware Decryptor Released β
π Read
via "Threat Post".
Cruddy cryptography means victims whose files have been encrypted by the Ukraine-tormenting ransomware can break the chains without paying extortionists.π Read
via "Threat Post".
Threat Post
Free HermeticRansom Ransomware Decryptor Released
Cruddy cryptography means victims whose files have been encrypted by the Ukraine-tormenting ransomware can break the chains without paying extortionists.
βΌ CVE-2020-18327 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2π Read
via "National Vulnerability Database".
βΌ CVE-2022-23729 βΌ
π Read
via "National Vulnerability Database".
When the device is in factory state, it can be access the shell without adb authentication process. The LG ID is LVE-SMP-210010.π Read
via "National Vulnerability Database".