βΌ CVE-2021-46434 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** EMQ X Dashboard V3.0.0 is affected by username enumeration in the "/api /v3/auth" interface. When a user login, the application returns different results depending on whether the account is correct, that allowed an attacker to determine if a given username was valid.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43725 βΌ
π Read
via "National Vulnerability Database".
There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login.php of Spotweb 1.5.1 and below, which allows remote attackers to inject arbitrary web script or HTML via the data[performredirect] parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0342 βΌ
π Read
via "National Vulnerability Database".
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.π Read
via "National Vulnerability Database".
ποΈ ENISA urges data-handling innovation amid growing tide of healthcare breaches ποΈ
π Read
via "The Daily Swig".
Infosec agency sets out use cases for clinical trials, data exchange, and connected devicesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
ENISA urges data-handling innovation amid growing tide of healthcare breaches
Infosec agency sets out use cases for clinical trials, data exchange, and connected devices
ποΈ Attackers getting faster at latching onto unpatched vulnerabilities for stealth hacking campaigns β report ποΈ
π Read
via "The Daily Swig".
Enterprises need to be ready with βbattle-tested incident response proceduresβ as zero-day exploitation ramps upπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Attackers getting faster at latching onto unpatched vulnerabilities for stealth hacking campaigns β report
Enterprises need to be ready with βbattle-tested incident response proceduresβ as zero-day exploitation ramps up
βΌ CVE-2021-43721 βΌ
π Read
via "National Vulnerability Database".
Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markdown type note. This leads to remote code execution with payload : <video src=x onerror=(function(){require('child_process').exec('calc');})();>π Read
via "National Vulnerability Database".
βΌ CVE-2021-44103 βΌ
π Read
via "National Vulnerability Database".
Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.π Read
via "National Vulnerability Database".
β Critical Sophos Security Bug Allows RCE on Firewalls β
π Read
via "Threat Post".
The security vendor's appliance suffers from an authentication-bypass issue.π Read
via "Threat Post".
Threat Post
Critical Sophos Security Bug Allows RCE on Firewalls
The security vendor's appliance suffers from an authentication-bypass issue.
β€1
βΌ CVE-2021-44124 βΌ
π Read
via "National Vulnerability Database".
Hiby Music Hiby OS R3 Pro 1.5 and 1.6 is vulnerable to Directory Traversal. The HTTP Server does not have enough input data sanitization when shown data from SD Card, an attacker can navigate through the device's File System over HTTP.π Read
via "National Vulnerability Database".
β Okta Says It Goofed in Handling the Lapsus$ Attack β
π Read
via "Threat Post".
"We made a mistake," Okta said, owning up to its responsibility for security incidents that hit its service providers and potentially its own customers.π Read
via "Threat Post".
Threat Post
Okta Says It Goofed in Handling the Lapsus$ Attack
"We made a mistake," Okta said, owning up to its responsibility for security incidents that hit its service providers and potentially its own customers.
π΄ Vodafone Portugal: The Attack on Brand Reputations and Public Confidence Through Cybercrime π΄
π Read
via "Dark Reading".
Companies must prepare effective, data-driven threat-response strategies as they monitor for reputational risks as well as cyberattacks.π Read
via "Dark Reading".
Dark Reading
Vodafone Portugal: The Attack on Brand Reputations and Public Confidence Through Cybercrime
Companies must prepare effective, data-driven threat-response strategies as they monitor for reputational risks as well as cyberattacks.
π Google: Update Chrome Now to Fix Zero-Day π
π Read
via "".
An emergency update for Google Chrome, released Friday, fixes a zero-day that's being exploited in attacks.π Read
via "".
Digital Guardian
Google: Update Chrome Now to Fix Zero-Day
An emergency update for Google Chrome, released Friday, fixes a zero-day that's being exploited in attacks.
βΌ CVE-2022-1056 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26980 βΌ
π Read
via "National Vulnerability Database".
Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0751 βΌ
π Read
via "National Vulnerability Database".
Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an attacker to create Snippets with misleading content which could trick unsuspecting users into executing arbitrary commandsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0738 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0818 βΌ
π Read
via "National Vulnerability Database".
The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0680 βΌ
π Read
via "National Vulnerability Database".
The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0499 βΌ
π Read
via "National Vulnerability Database".
The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0479 βΌ
π Read
via "National Vulnerability Database".
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious linkπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0679 βΌ
π Read
via "National Vulnerability Database".
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.π Read
via "National Vulnerability Database".