‼ CVE-2021-36775 ‼
📖 Read
via "National Vulnerability Database".
a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.📖 Read
via "National Vulnerability Database".
🗓️ Trezor cryptocurrency wallets targeted with phishing attacks following Mailchimp compromise 🗓️
📖 Read
via "The Daily Swig".
Company claims false data breach emails were spread via newsletters📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Trezor cryptocurrency wallets targeted with phishing attacks following Mailchimp compromise
Company claims false data breach emails were spread via newsletters
🤯1
🗓️ Supply chain flaws in PHP package manager PEAR lay undiscovered for 15 years 🗓️
📖 Read
via "The Daily Swig".
PEAR was ripe for exploitation via cryptographic flaw and bug in outdated dependency📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Supply chain flaws in PHP package manager PEAR lay undiscovered for 15 years
PEAR was ripe for exploitation via cryptographic flaw and bug in outdated dependency
‼ CVE-2021-43458 ‼
📖 Read
via "National Vulnerability Database".
An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43455 ‼
📖 Read
via "National Vulnerability Database".
An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via a specially crafted file in the FreeLAN Service path.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43456 ‼
📖 Read
via "National Vulnerability Database".
An Unquoted Service Path vulnerablility exists in Rumble Mail Server 0.51.3135 via via a specially crafted file in the RumbleService executable service path.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27435 ‼
📖 Read
via "National Vulnerability Database".
An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28063 ‼
📖 Read
via "National Vulnerability Database".
Simple Bakery Shop Management System v1.0 contains a file disclosure via /bsms/?page=products.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27436 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_user at Ecommerce-Website v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username text field.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43457 ‼
📖 Read
via "National Vulnerability Database".
An Unquoted Service Path vulnerability exists in bVPN 2.5.1 via a specially crafted file in the waselvpnserv service path.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1026 ‼
📖 Read
via "National Vulnerability Database".
Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28062 ‼
📖 Read
via "National Vulnerability Database".
Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43454 ‼
📖 Read
via "National Vulnerability Database".
An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.394 via a specially crafted file in the ATService path. .📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24787 ‼
📖 Read
via "National Vulnerability Database".
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. In version 0.3.1 and prior, bytestrings can have dirty bytes in them, resulting in the word-for-word comparisons giving incorrect results. Even without dirty nonzero bytes, two bytestrings can compare to equal if one ends with `"\x00"` because there is no comparison of the length. A patch is available and expected to be part of the 0.3.2 release. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-0990 ‼
📖 Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26572 ‼
📖 Read
via "National Vulnerability Database".
Xerox ColorQube 8580 was discovered to contain an access control issue which allows attackers to print, view the status, and obtain sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24801 ‼
📖 Read
via "National Vulnerability Database".
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43464 ‼
📖 Read
via "National Vulnerability Database".
A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval().📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25569 ‼
📖 Read
via "National Vulnerability Database".
Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24813 ‼
📖 Read
via "National Vulnerability Database".
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24814 ‼
📖 Read
via "National Vulnerability Database".
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.📖 Read
via "National Vulnerability Database".