‼ CVE-2020-21554 ‼
📖 Read
via "National Vulnerability Database".
A File Deletion vulnerability exists in TinyShop 3.1.1 in the back_list parameter in controllers\admin.php, which could let a malicious user delete any file such as install.lock to reinstall cms.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26263 ‼
📖 Read
via "National Vulnerability Database".
Yonyou u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via the component /u8sl/WebHelp.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43091 ‼
📖 Read
via "National Vulnerability Database".
An SQL Injection vlnerability exits in Yeswiki doryphore 20211012 via the email parameter in the registration form.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24777 ‼
📖 Read
via "National Vulnerability Database".
grpc-swift is the Swift language implementation of gRPC, a remote procedure call (RPC) framework. Prior to version 1.7.2, a grpc-swift server is vulnerable to a denial of service attack via a reachable assertion. This is due to incorrect logic when handling GOAWAY frames. The attack is low-effort: it takes very little resources to construct and send the required sequence of frames. The impact on availability is high as the server will crash, dropping all in flight connections and requests. This issue is fixed in version 1.7.2. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25577 ‼
📖 Read
via "National Vulnerability Database".
ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25582 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the Column module of ClassCMS v2.5 and below allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Add Articles field.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25574 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the upload function of /admin/show.php allows attackers to execute arbitrary web scripts or HTML via a crafted image file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46426 ‼
📖 Read
via "National Vulnerability Database".
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 3/25 🔏
📖 Read
via "".
Two nation-state hacking campaigns revealed, gauging federal cyber collaboration, and more - catch up on the news of the week with the Friday Five!📖 Read
via "".
Digital Guardian
Friday Five 3/25
Two nation-state hacking campaigns revealed, gauging federal cyber collaboration, and more - catch up on the news of the week with the Friday Five!
🕴 How Do I Demonstrate the ROI of My Security Program? 🕴
📖 Read
via "Dark Reading".
Security teams must shift away from saying no, align security initiatives to business goals, and report metrics in a way business leaders can understand.📖 Read
via "Dark Reading".
Dark Reading
How Do I Demonstrate the ROI of My Security Program?
Security teams must shift away from saying no, align security initiatives to business goals, and report metrics in a way business leaders can understand.
‼ CVE-2022-1049 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3941 ‼
📖 Read
via "National Vulnerability Database".
In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3422 ‼
📖 Read
via "National Vulnerability Database".
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Enableareceiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates and https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Controlforwarderaccess. Implementation of either or both reduces the severity to Medium.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27885 ‼
📖 Read
via "National Vulnerability Database".
Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3933 ‼
📖 Read
via "National Vulnerability Database".
An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20323 ‼
📖 Read
via "National Vulnerability Database".
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4203 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0983 ‼
📖 Read
via "National Vulnerability Database".
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-22100 ‼
📖 Read
via "National Vulnerability Database".
In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and fail is possible. An attacker can leverage this vulnerability to cause an inability for anyone to push or manage apps.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4157 ‼
📖 Read
via "National Vulnerability Database".
An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4202 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.📖 Read
via "National Vulnerability Database".