βΌ CVE-2021-44262 βΌ
π Read
via "National Vulnerability Database".
A vulnerability is in the 'MNU_top.htm' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication. When processed, it exposes some key information for the device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25352 βΌ
π Read
via "National Vulnerability Database".
The package libnested before 1.5.2 are vulnerable to Prototype Pollution via the set function in index.js. **Note:** This vulnerability derives from an incomplete fix for [CVE-2020-28283](https://security.snyk.io/vuln/SNYK-JS-LIBNESTED-1054930)π Read
via "National Vulnerability Database".
βΌ CVE-2022-21221 βΌ
π Read
via "National Vulnerability Database".
The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25760 βΌ
π Read
via "National Vulnerability Database".
All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25296 βΌ
π Read
via "National Vulnerability Database".
The package bodymen from 0.0.0 are vulnerable to Prototype Pollution via the handler function which could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload. **Note:** This vulnerability derives from an incomplete fix to [CVE-2019-10792](https://security.snyk.io/vuln/SNYK-JS-BODYMEN-548897)π Read
via "National Vulnerability Database".
βΌ CVE-2021-45793 βΌ
π Read
via "National Vulnerability Database".
Slims9 Bulian 9.4.2 is affected by SQL injection in lib/comment.inc.php. User data can be obtained.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0748 βΌ
π Read
via "National Vulnerability Database".
The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44259 βΌ
π Read
via "National Vulnerability Database".
A vulnerability is in the 'wx.html' page of the WAVLINK AC1200, version WAVLINK-A42W-1.27.6-20180418, which can allow a remote attacker to access this page without any authentication. When an unauthorized user accesses this page directly, it connects to this device as a friend of the device owner.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25354 βΌ
π Read
via "National Vulnerability Database".
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)π Read
via "National Vulnerability Database".
βΌ CVE-2021-45794 βΌ
π Read
via "National Vulnerability Database".
Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23556 βΌ
π Read
via "National Vulnerability Database".
The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0749 βΌ
π Read
via "National Vulnerability Database".
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23771 βΌ
π Read
via "National Vulnerability Database".
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).π Read
via "National Vulnerability Database".
β Reporting Mandates to Clear Up Fedsβ Hazy Look into Threat Landscape β Podcast β
π Read
via "Threat Post".
Itβs about time, AttackIQβs Jonathan Reiber said about 24H/72H report deadlines mandated in the new spending bill. As it is, visibility into adversary behavior has been muck.π Read
via "Threat Post".
Threat Post
Reporting Mandates to Clear Up Fedsβ Hazy Look into Threat Landscape β Podcast
Itβs about time, AttackIQβs Jonathan Reiber said about 24H/72H report deadlines mandated in the new spending bill. As it is, visibility into adversary behavior has been muck.
β Misconfigured Firebase Databases Exposing Data in Mobile Apps β
π Read
via "Threat Post".
Five percent of the databases are vulnerable to threat actors: It's a gold mine of exploit opportunity in thousands of mobile apps, researchers say.π Read
via "Threat Post".
Threat Post
Misconfigured Firebase Databases Exposing Data in Mobile Apps
Five percent of the databases are vulnerable to threat actors: It's a gold mine of exploit opportunity in thousands of mobile apps, researchers say.
ποΈ Downdetector: How the popular site outage tracker is helping to improve web security ποΈ
π Read
via "The Daily Swig".
βMinutes matter, and being able to get that additional feed can give infosec teams the edgeβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Downdetector: How the popular site outage tracker is helping to improve web security
βMinutes matter, and being able to get that additional feed can give infosec teams the edgeβ
π΄ Stopping Russian Cyberattacks at Their Source π΄
π Read
via "Dark Reading".
Step up training with cybersecurity drills, teach how to avoid social engineering traps, share open source monitoring tools, and make multifactor authentication the default.π Read
via "Dark Reading".
Dark Reading
Stopping Russian Cyberattacks at Their Source
Step up training with cybersecurity drills, teach how to avoid social engineering traps, share open source monitoring tools, and make multifactor authentication the default.
βΌ CVE-2021-44906 βΌ
π Read
via "National Vulnerability Database".
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).π Read
via "National Vulnerability Database".
βΌ CVE-2022-25364 βΌ
π Read
via "National Vulnerability Database".
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)π Read
via "National Vulnerability Database".
βΌ CVE-2022-26503 βΌ
π Read
via "National Vulnerability Database".
Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24759 βΌ
π Read
via "National Vulnerability Database".
`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds.π Read
via "National Vulnerability Database".