βΌ CVE-2022-25354 βΌ
π Read
via "National Vulnerability Database".
The package set-in before 2.0.3 are vulnerable to Prototype Pollution via the setIn method, as it allows an attacker to merge object prototypes into it. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-28273](https://security.snyk.io/vuln/SNYK-JS-SETIN-1048049)π Read
via "National Vulnerability Database".
βΌ CVE-2021-45794 βΌ
π Read
via "National Vulnerability Database".
Slims9 Bulian 9.4.2 is affected by SQL injection in /admin/modules/system/backup.php. User data can be obtained.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23556 βΌ
π Read
via "National Vulnerability Database".
The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0749 βΌ
π Read
via "National Vulnerability Database".
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23771 βΌ
π Read
via "National Vulnerability Database".
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).π Read
via "National Vulnerability Database".
β Reporting Mandates to Clear Up Fedsβ Hazy Look into Threat Landscape β Podcast β
π Read
via "Threat Post".
Itβs about time, AttackIQβs Jonathan Reiber said about 24H/72H report deadlines mandated in the new spending bill. As it is, visibility into adversary behavior has been muck.π Read
via "Threat Post".
Threat Post
Reporting Mandates to Clear Up Fedsβ Hazy Look into Threat Landscape β Podcast
Itβs about time, AttackIQβs Jonathan Reiber said about 24H/72H report deadlines mandated in the new spending bill. As it is, visibility into adversary behavior has been muck.
β Misconfigured Firebase Databases Exposing Data in Mobile Apps β
π Read
via "Threat Post".
Five percent of the databases are vulnerable to threat actors: It's a gold mine of exploit opportunity in thousands of mobile apps, researchers say.π Read
via "Threat Post".
Threat Post
Misconfigured Firebase Databases Exposing Data in Mobile Apps
Five percent of the databases are vulnerable to threat actors: It's a gold mine of exploit opportunity in thousands of mobile apps, researchers say.
ποΈ Downdetector: How the popular site outage tracker is helping to improve web security ποΈ
π Read
via "The Daily Swig".
βMinutes matter, and being able to get that additional feed can give infosec teams the edgeβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Downdetector: How the popular site outage tracker is helping to improve web security
βMinutes matter, and being able to get that additional feed can give infosec teams the edgeβ
π΄ Stopping Russian Cyberattacks at Their Source π΄
π Read
via "Dark Reading".
Step up training with cybersecurity drills, teach how to avoid social engineering traps, share open source monitoring tools, and make multifactor authentication the default.π Read
via "Dark Reading".
Dark Reading
Stopping Russian Cyberattacks at Their Source
Step up training with cybersecurity drills, teach how to avoid social engineering traps, share open source monitoring tools, and make multifactor authentication the default.
βΌ CVE-2021-44906 βΌ
π Read
via "National Vulnerability Database".
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).π Read
via "National Vulnerability Database".
βΌ CVE-2022-25364 βΌ
π Read
via "National Vulnerability Database".
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)π Read
via "National Vulnerability Database".
βΌ CVE-2022-26503 βΌ
π Read
via "National Vulnerability Database".
Deserialization of untrusted data in Veeam Agent for Windows 2.0, 2.1, 2.2, 3.0.2, 4.x, and 5.x allows local users to run arbitrary code with local system privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24759 βΌ
π Read
via "National Vulnerability Database".
`@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose as other peers and get those peers banned. Users should upgrade to version 4.1.2 or 5.0.3 to receive a patch. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15591 βΌ
π Read
via "National Vulnerability Database".
fexsrv in F*EX (aka Frams' Fast File EXchange) before fex-20160919_2 allows eval injection (for unauthenticated remote code execution).π Read
via "National Vulnerability Database".
βΌ CVE-2022-26526 βΌ
π Read
via "National Vulnerability Database".
Anaconda Anaconda3 through 2021.11.0.0 and Miniconda3 through 11.0.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. Thus, for example, local users can gain privileges by placing a Trojan horse file into that directory. (This problem can only happen in a non-default installation. The person who installs the product must specify that it is being installed for all users. Also, the person who installs the product must specify that the system PATH should be changed.)π Read
via "National Vulnerability Database".
π Configuration Essential to MFA Enforcement π
π Read
via "".
Organizations should enforce MFA for all users but avoid default MFA protocols that can be abused to steal sensitive data.π Read
via "".
Digital Guardian
Configuration Essential to MFA Enforcement
Organizations should enforce MFA for all users but avoid default MFA protocols that can be abused to steal sensitive data.
β Dev Sabotages Popular NPM Package to Protest Russian Invasion β
π Read
via "Threat Post".
In the latest software supply-chain attack, the code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a peacenotwar module.π Read
via "Threat Post".
Threat Post
Dev Sabotages Popular NPM Package to Protest Russian Invasion
In the latest software supply-chain attack, the code maintainer added malicious code to the hugely popular node-ipc library to replace files with a heart emoji and a peacenotwar module.
π΄ Titaniam Announces Completion of Product Suite π΄
π Read
via "Dark Reading".
The Titaniam Suite includes ransomware and extortion defense capabilities in the form of five products.π Read
via "Dark Reading".
Dark Reading
Titaniam Announces Completion of Product Suite
The Titaniam Suite includes ransomware and extortion defense capabilities in the form of five products.
π΄ Cloudflare Announces API Gateway π΄
π Read
via "Dark Reading".
Organizations can secure, manage, and monitor all of their APIs in one easy-to-use dashboard.π Read
via "Dark Reading".
Dark Reading
Cloudflare Announces API Gateway
Organizations can secure, manage, and monitor all of their APIs in one easy-to-use dashboard.
π΄ Glasswall Launches Freemium Version of its Desktop Content Disarm and Reconstruction App π΄
π Read
via "Dark Reading".
Glasswall technology offers proactive protection from file-based cybersecurity threats.π Read
via "Dark Reading".
Dark Reading
Glasswall Launches Freemium Version of its Desktop Content Disarm and Reconstruction App
Glasswall technology offers proactive protection from file-based cybersecurity threats.
π΄ Nok Nok Labs Unveils S3 Authentication Suite π΄
π Read
via "Dark Reading".
Enhancements include support for OpenID Connect as an integration mechanism.π Read
via "Dark Reading".
Dark Reading
Nok Nok Labs Unveils S3 Authentication Suite
Enhancements include support for OpenID Connect as an integration mechanism.