βΌ CVE-2022-24750 βΌ
π Read
via "National Vulnerability Database".
UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to 1.3.8.0 in which the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory. Affected users should upgrade their UltraVNC to 1.3.8.0. Users unable to upgrade should not install and run UltraVNC server as a service. It is advisable to create a scheduled task on a low privilege account to launch WinVNC.exe instead. There are no known workarounds if wincnc needs to be started as a service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41233 βΌ
π Read
via "National Vulnerability Database".
Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24726 βΌ
π Read
via "National Vulnerability Database".
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44597 βΌ
π Read
via "National Vulnerability Database".
An Access Control vunerabiity exists in Gerapy v 0.9.7 via the spider parameter in project_configure function.π Read
via "National Vulnerability Database".
π΄ Over 40% of Log4j Downloads Are Vulnerable Versions of the Software π΄
π Read
via "Dark Reading".
The data point is a reminder of why fixing the widespread vulnerability will take a long time.π Read
via "Dark Reading".
Dark Reading
Over 40% of Log4j Downloads Are Vulnerable Versions of the Software
The data point is a reminder of why fixing the widespread vulnerability will take a long time.
π1
βΌ CVE-2022-25512 βΌ
π Read
via "National Vulnerability Database".
FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25511 βΌ
π Read
via "National Vulnerability Database".
An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0280 βΌ
π Read
via "National Vulnerability Database".
A race condition vulnerability exists in the QuickClean feature of McAfee Total Protection for Windows prior to 16.0.43 that allows a local user to gain privilege elevation and perform an arbitrary file delete. This could lead to sensitive files being deleted and potentially cause denial of service. This attack exploits the way symlinks are created and how the product works with them.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0821 βΌ
π Read
via "National Vulnerability Database".
Improper Authorization in GitHub repository orchardcms/orchardcore prior to 1.3.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0815 βΌ
π Read
via "National Vulnerability Database".
Improper access control vulnerability in McAfee WebAdvisor Chrome and Edge browser extensions up to 8.1.0.1895 allows a remote attacker to gain access to McAfee WebAdvisor settings and other details about the userΓ’β¬β’s system. This could lead to unexpected behaviors including; settings being changed, fingerprinting of the system leading to targeted scams, and not triggering the malicious software if McAfee software is detected.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25507 βΌ
π Read
via "National Vulnerability Database".
FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Callsign parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0820 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository orchardcms/orchardcore prior to 1.3.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25506 βΌ
π Read
via "National Vulnerability Database".
FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25510 βΌ
π Read
via "National Vulnerability Database".
FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25508 βΌ
π Read
via "National Vulnerability Database".
An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service (DoS) via an unusually large amount of created routes, or create unsafe or false routes for legitimate users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0822 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository orchardcms/orchardcore prior to 1.3.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22151 βΌ
π Read
via "National Vulnerability Database".
CAMS for HIS Log Server contained in the following Yokogawa Electric products fails to properly neutralize log outputs: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23401 βΌ
π Read
via "National Vulnerability Database".
The following Yokogawa Electric products contain insecure DLL loading issues. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22729 βΌ
π Read
via "National Vulnerability Database".
CAMS for HIS Server contained in the following Yokogawa Electric products improperly authenticate the receiving packets. The authentication may be bypassed via some crafted packets: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, and Exaopc versions from R3.72.00 to R3.79.00.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21194 βΌ
π Read
via "National Vulnerability Database".
The following Yokogawa Electric products do not change the passwords of the internal Windows accounts from the initial configuration: CENTUM VP versions from R5.01.00 to R5.04.20 and versions from R6.01.00 to R6.08.0, Exaopc versions from R3.72.00 to R3.79.00.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21177 βΌ
π Read
via "National Vulnerability Database".
There is a path traversal vulnerability in CAMS for HIS Log Server contained in the following Yokogawa Electric products: CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, andfrom R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00.π Read
via "National Vulnerability Database".