βΌ CVE-2021-44907 βΌ
π Read
via "National Vulnerability Database".
A Denial of Service vulnerability exists in qs up to 6.8.0 due to insufficient sanitization of property in the gs.parse function. The merge() function allows the assignment of properties on an array in the query. For any property being assigned, a value in the array is converted to an object containing these properties. Essentially, this means that the property whose expected type is Array always has to be checked with Array.isArray() by the user. This may not be obvious to the user and can cause unexpected behavior.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26500 βΌ
π Read
via "National Vulnerability Database".
Improper limitation of path names in Veeam Backup & Replication 9.5U3, 9.5U4,10.x, and 11.x allows remote authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26504 βΌ
π Read
via "National Vulnerability Database".
Improper authentication in Veeam Backup & Replication 9.5U3, 9.5U4,10.x and 11.x component used for Microsoft System Center Virtual Machine Manager (SCVMM) allows attackers execute arbitrary code via Veeam.Backup.PSManager.exeπ Read
via "National Vulnerability Database".
βΌ CVE-2022-26501 βΌ
π Read
via "National Vulnerability Database".
Veeam Backup & Replication 10.x and 11.x has Incorrect Access Control (issue 1 of 2).π Read
via "National Vulnerability Database".
βΌ CVE-2021-46107 βΌ
π Read
via "National Vulnerability Database".
Ligeo Archives Ligeo Basics as of 02_01-2022 is vulnerable to Server Side Request Forgery (SSRF) which allows an attacker to read any documents via the download features.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45040 βΌ
π Read
via "National Vulnerability Database".
The Spatie media-library-pro library through 1.17.10 and 2.x through 2.1.6 for Laravel allows remote attackers to upload executable files via the uploads route.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21822 βΌ
π Read
via "National Vulnerability Database".
NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24770 βΌ
π Read
via "National Vulnerability Database".
`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these commands, which could lead to arbitrary commands running on the user's computer. The problem has been patched as of `2.8.11`, which escapes the saved csv with single quotes. As a workaround, avoid opening csv files generated by `gradio` with Excel or similar spreadsheet programs.π Read
via "National Vulnerability Database".
βοΈ Pro-Ukraine βProtestwareβ Pushes Antiwar Ads, Geo-Targeted Malware βοΈ
π Read
via "Krebs on Security".
Researchers are tracking a number of open-source "protestware" projects on GitHub that have recently altered their code to display "Stand with Ukraine" messages for users, or basic facts about the carnage in Ukraine. The group also is tracking several code packages that were recently modified to erase files on computers that appear to be coming from Russian or Belarusian Internet addresses.π Read
via "Krebs on Security".
Krebs on Security
Pro-Ukraine βProtestwareβ Pushes Antiwar Ads, Geo-Targeted Malware
Researchers are tracking a number of open-source "protestware" projects on GitHub that have recently altered their code to display "Stand with Ukraine" messages for users, or basic facts about the carnage in Ukraine. The group also is tracking several codeβ¦
π΄ 6 Reasons Not to Pay Ransomware Attackers π΄
π Read
via "Dark Reading".
Paying a ransom might appear to be the best option, but it comes with its own costs.π Read
via "Dark Reading".
Dark Reading
6 Reasons Not to Pay Ransomware Attackers
Paying a ransom might appear to be the best option, but it comes with its own costs.
βΌ CVE-2022-24302 βΌ
π Read
via "National Vulnerability Database".
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0758 βΌ
π Read
via "National Vulnerability Database".
Rapid7 Nexpose versions 6.6.129 and earlier suffer from a reflected cross site scripting vulnerability, within the shared scan configuration component of the tool. With this vulnerability an attacker could pass literal values as the test credentials, providing the opportunity for a potential XSS attack. This issue is fixed in Rapid7 Nexpose version 6.6.130.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2021-44088 βΌ
π Read
via "National Vulnerability Database".
An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44087 βΌ
π Read
via "National Vulnerability Database".
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows an unauthenticated remote attacker to upload a maliciously crafted PHP via photo upload.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0237 βΌ
π Read
via "National Vulnerability Database".
Rapid7 Insight Agent versions 3.1.2.38 and earlier suffer from a privilege escalation vulnerability, whereby an attacker can hijack the flow of execution due to an unquoted argument to the runas.exe command used by the ir_agent.exe component, resulting in elevated rights and persistent access to the machine. This issue was fixed in Rapid7 Insight Agent version 3.1.3.80.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0757 βΌ
π Read
via "National Vulnerability Database".
Rapid7 Nexpose versions 6.6.93 and earlier are susceptible to an SQL Injection vulnerability, whereby valid search operators are not defined. This lack of validation can allow an attacker to manipulate the "ANY" and "OR" operators in the SearchCriteria and inject SQL code. This issue was fixed in Rapid7 Nexpose version 6.6.129.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43961 βΌ
π Read
via "National Vulnerability Database".
Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26965 βΌ
π Read
via "National Vulnerability Database".
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27240 βΌ
π Read
via "National Vulnerability Database".
scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer overflow associated with a webauthn assertion.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45966 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45967 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.π Read
via "National Vulnerability Database".