‼ CVE-2021-46426 ‼
📖 Read
via "National Vulnerability Database".
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 3/25 🔏
📖 Read
via "".
Two nation-state hacking campaigns revealed, gauging federal cyber collaboration, and more - catch up on the news of the week with the Friday Five!📖 Read
via "".
Digital Guardian
Friday Five 3/25
Two nation-state hacking campaigns revealed, gauging federal cyber collaboration, and more - catch up on the news of the week with the Friday Five!
🕴 How Do I Demonstrate the ROI of My Security Program? 🕴
📖 Read
via "Dark Reading".
Security teams must shift away from saying no, align security initiatives to business goals, and report metrics in a way business leaders can understand.📖 Read
via "Dark Reading".
Dark Reading
How Do I Demonstrate the ROI of My Security Program?
Security teams must shift away from saying no, align security initiatives to business goals, and report metrics in a way business leaders can understand.
‼ CVE-2022-1049 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3941 ‼
📖 Read
via "National Vulnerability Database".
In ImfChromaticities.cpp routine RGBtoXYZ(), there are some division operations such as `float Z = (1 - chroma.white.x - chroma.white.y) * Y / chroma.white.y;` and `chroma.green.y * (X + Z))) / d;` but the divisor is not checked for a 0 value. A specially crafted file could trigger a divide-by-zero condition which could affect the availability of programs linked with OpenEXR.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3422 ‼
📖 Read
via "National Vulnerability Database".
The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. See https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Enableareceiver for more information on configuring an indexer to listen for UF traffic. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. As a partial mitigation and a security best practice, see https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkforwardingtousesignedcertificates and https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Controlforwarderaccess. Implementation of either or both reduces the severity to Medium.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27885 ‼
📖 Read
via "National Vulnerability Database".
Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/website/data.html via the select and input parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3933 ‼
📖 Read
via "National Vulnerability Database".
An integer overflow could occur when OpenEXR processes a crafted file on systems where size_t < 64 bits. This could cause an invalid bytesPerLine and maxBytesPerLine value, which could lead to problems with application stability or lead to other attack paths.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20323 ‼
📖 Read
via "National Vulnerability Database".
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4203 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0983 ‼
📖 Read
via "National Vulnerability Database".
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-22100 ‼
📖 Read
via "National Vulnerability Database".
In cloud foundry CAPI versions prior to 1.122, a denial-of-service attack in which a developer can push a service broker that (accidentally or maliciously) causes CC instances to timeout and fail is possible. An attacker can leverage this vulnerability to cause an inability for anyone to push or manage apps.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4157 ‼
📖 Read
via "National Vulnerability Database".
An out of memory bounds write flaw (1 or 2 bytes of memory) in the Linux kernel NFS subsystem was found in the way users use mirroring (replication of files with NFS). A user, having access to the NFS mount, could potentially use this flaw to crash the system or escalate privileges on the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4202 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free flaw was found in nci_request in net/nfc/nci/core.c in NFC Controller Interface (NCI) in the Linux kernel. This flaw could allow a local attacker with user privileges to cause a data race problem while the device is getting removed, leading to a privilege escalation problem.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20290 ‼
📖 Read
via "National Vulnerability Database".
An improper authorization handling flaw was found in Foreman. The OpenSCAP plugin for the smart-proxy allows foreman clients to execute actions that should be limited to the Foreman Server. This flaw allows an authenticated local attacker to access and delete limited resources and also causes a denial of service on the Foreman server. The highest threat from this vulnerability is to integrity and system availability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26621 ‼
📖 Read
via "National Vulnerability Database".
An Buffer Overflow vulnerability leading to remote code execution was discovered in MEX01. Remote attackers can use this vulnerability by using the property that the target program copies parameter values to memory through the strcpy() function.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27881 ‼
📖 Read
via "National Vulnerability Database".
engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has a buffer overflow triggerable by an IPv6 router advertisement with more than seven nameservers. NOTE: privilege separation and pledge can prevent exploitation.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44477 ‼
📖 Read
via "National Vulnerability Database".
GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26573 ‼
📖 Read
via "National Vulnerability Database".
Maccms v10 was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities in /admin.php/admin/art/data.html via the select and input parameters.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25611 ‼
📖 Read
via "National Vulnerability Database".
Authenticated Stored Cross-Site Scripting (XSS) in Simple Event Planner plugin <= 1.5.4 allows attackers with contributor or higher user roles to inject the malicious script by using vulnerable parameter &custom[add_seg][].📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27884 ‼
📖 Read
via "National Vulnerability Database".
Maccms v10 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in /admin.php/admin/plog/index.html via the wd parameter.📖 Read
via "National Vulnerability Database".