🛡 Cybersecurity & Privacy 🛡 - News
@cibsecurity
25.8K subscribers
89.2K links
🗞 The finest daily news on cybersecurity and privacy.

🔔 Daily releases.

💻 Is your online life secure?

📩 lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
🛡 Cybersecurity & Privacy 🛡 - News
25.8K subscribers
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-28223 ‼

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.

📖 Read

via "National Vulnerability Database".
210 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-27772 ‼

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

📖 Read

via "National Vulnerability Database".
245 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-1160 ‼

heap buffer overflow in get_one_sourceline in GitHub repository vim/vim prior to 8.2.

📖 Read

via "National Vulnerability Database".
237 views
🛡 Cybersecurity & Privacy 🛡 - News
🕴 CISA, DOE Warn of Attacks on Uninterruptible Power Supply (UPS) Devices 🕴

Take UPS management interfaces off the Internet "immediately," agencies say.

📖 Read

via "Dark Reading".
Dark Reading
CISA, DOE Warn of Attacks on Uninterruptible Power Supply (UPS) Devices
Take UPS management interfaces off the Internet "immediately," agencies say.
227 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2019-12266 ‼

Stack-based Buffer Overflow vulnerability in Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to run arbitrary code on the affected device. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

📖 Read

via "National Vulnerability Database".
219 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-40645 ‼

An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.

📖 Read

via "National Vulnerability Database".
218 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-40644 ‼

An SQL Injection vulnerability exists in oasys oa_system as of 9/7/2021 in resources/mappers/notice-mapper.xml.

📖 Read

via "National Vulnerability Database".
203 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-24763 ‼

PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.

📖 Read

via "National Vulnerability Database".
202 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2019-9564 ‼

A vulnerability in the authentication logic of Wyze Cam Pan v2, Cam v2, Cam v3 allows an attacker to bypass login and control the devices. This issue affects: Wyze Cam Pan v2 versions prior to 4.49.1.47. Wyze Cam v2 versions prior to 4.9.8.1002. Wyze Cam v3 versions prior to 4.36.8.32.

📖 Read

via "National Vulnerability Database".
198 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-45031 ‼

A vulnerability in MEPSAN's USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords.

📖 Read

via "National Vulnerability Database".
198 views
🛡 Cybersecurity & Privacy 🛡 - News
🕴 Zero-Day Vulnerability Discovered in Java Spring Framework 🕴

A proof-of-concept exploit allows remote compromises of Spring Web applications.

📖 Read

via "Dark Reading".
Dark Reading
Zero-Day Vulnerability Discovered in Java Spring Framework
A proof-of-concept exploit allows remote compromises of Spring Web applications.
192 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-24790 ‼

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

📖 Read

via "National Vulnerability Database".
184 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-46008 ‼

In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.

📖 Read

via "National Vulnerability Database".
166 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-46010 ‼

Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.

📖 Read

via "National Vulnerability Database".
158 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-43664 ‼

totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo.

📖 Read

via "National Vulnerability Database".
151 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-46006 ‼

In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.

📖 Read

via "National Vulnerability Database".
150 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-43142 ‼

An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.

📖 Read

via "National Vulnerability Database".
150 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33208 ‼

The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.

📖 Read

via "National Vulnerability Database".
151 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-38362 ‼

In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.

📖 Read

via "National Vulnerability Database".
156 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-26644 ‼

Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management.

📖 Read

via "National Vulnerability Database".
161 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2022-25008 ‼

totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.

📖 Read

via "National Vulnerability Database".
160 views