‼ CVE-2022-24781 ‼
📖 Read
via "National Vulnerability Database".
Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24782 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open source discussion platform. Versions 2.8.2 and prior in the `stable` branch, 2.9.0.beta3 and prior in the `beta` branch, and 2.9.0.beta3 and prior in the `tests-passed` branch are vulnerable to a data leak. Users can request an export of their own activity. Sometimes, due to category settings, they may have category membership for a secure category. The name of this secure category is shown to the user in the export. The same thing occurs when the user's post has been moved to a secure category. A patch for this issue is available in the `main` branch of Discourse's GitHub repository and is anticipated to be part of future releases.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24769 ‼
📖 Read
via "National Vulnerability Database".
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24776 ‼
📖 Read
via "National Vulnerability Database".
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25571 ‼
📖 Read
via "National Vulnerability Database".
Bluedon Information Security Technologies Co.,Ltd Internet Access Detector v1.0 was discovered to contain an information leak which allows attackers to access the contents of the password file via unspecified vectors.📖 Read
via "National Vulnerability Database".
🕴 Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms 🕴
📖 Read
via "Dark Reading".
Four Russian government employees were charged by the DoJ for attack campaigns targeting hundreds of energy sector companies and organizations in 135 countries, including the US.📖 Read
via "Dark Reading".
Dark Reading
Russian Nationals Indicted for Epic Triton/Trisis and Dragonfly Cyberattacks on Energy Firms
Four Russian government employees were charged by the DoJ for attack campaigns targeting hundreds of energy sector companies and organizations in 135 countries, including the US.
‼ CVE-2022-26279 ‼
📖 Read
via "National Vulnerability Database".
EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26249 ‼
📖 Read
via "National Vulnerability Database".
Survey King v0.3.0 does not filter data properly when exporting excel files, allowing attackers to execute arbitrary code or access sensitive information via a CSV injection attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26301 ‼
📖 Read
via "National Vulnerability Database".
TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability via the component App\Manage\Controller\ZhuantiController.class.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26272 ‼
📖 Read
via "National Vulnerability Database".
A remote code execution (RCE) vulnerability in Ionize v1.0.8.1 allows attackers to execute arbitrary code via a crafted string written to the file application/config/config.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25575 ‼
📖 Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Parking Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via crafted payloads injected into the user name, password, and verification code text boxes.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25576 ‼
📖 Read
via "National Vulnerability Database".
Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.📖 Read
via "National Vulnerability Database".
⚠ UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang? ⚠
📖 Read
via "Naked Security".
Seven alleged hackers have been arrested in the UK. But who are they, and which hacking crew are they from?📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
👏2
‼ CVE-2018-25032 ‼
📖 Read
via "National Vulnerability Database".
zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22687 ‼
📖 Read
via "National Vulnerability Database".
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22688 ‼
📖 Read
via "National Vulnerability Database".
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.📖 Read
via "National Vulnerability Database".
🗓️ HTTP request smuggling bug patched in mitmproxy 🗓️
📖 Read
via "The Daily Swig".
Bug exploited inconsistencies between intermediary and backend servers📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
HTTP request smuggling bug patched in mitmproxy
Bug exploited inconsistencies between intermediary and backend servers
‼ CVE-2021-44751 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability affecting F-Secure SAFE browser before March 22, 2022 was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction.📖 Read
via "National Vulnerability Database".
❌ Google Chrome Zero-Day Bugs Exploited Weeks Ahead of Patch ❌
📖 Read
via "Threat Post".
Two separate campaigns from different threat actors targeted users with the same exploit kit for more than a month before the company fixed an RCE flaw found in February.📖 Read
via "Threat Post".
Threat Post
Google Chrome Zero-Day Bugs Exploited Weeks Ahead of Patch
Two separate campaigns from different threat actors targeted users with the same exploit kit for more than a month before the company fixed an RCE flaw found in February.
🕴 HR Alone Can't Solve the Great Resignation 🕴
📖 Read
via "Dark Reading".
Here's how IT teams and decision-makers can step up to support the workforce. Creating a culture of feedback and introducing automation can mitigate burnout, inspire employees, and reduce turnover.📖 Read
via "Dark Reading".
Dark Reading
HR Alone Can't Solve the Great Resignation
Here's how IT teams and decision-makers can step up to support the workforce. Creating a culture of feedback and introducing automation can mitigate burnout, inspire employees, and reduce turnover.
‼ CVE-2022-1064 ‼
📖 Read
via "National Vulnerability Database".
SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1.📖 Read
via "National Vulnerability Database".