‼ CVE-2022-26572 ‼
📖 Read
via "National Vulnerability Database".
Xerox ColorQube 8580 was discovered to contain an access control issue which allows attackers to print, view the status, and obtain sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24801 ‼
📖 Read
via "National Vulnerability Database".
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to version 22.4.0rc1, the Twisted Web HTTP 1.1 server, located in the `twisted.web.http` module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling. Users who may be affected use Twisted Web's HTTP 1.1 server and/or proxy and also pass requests through a different HTTP server and/or proxy. The Twisted Web client is not affected. The HTTP 2.0 server uses a different parser, so it is not affected. The issue has been addressed in Twisted 22.4.0rc1. Two workarounds are available: Ensure any vulnerabilities in upstream proxies have been addressed, such as by upgrading them; or filter malformed requests by other means, such as configuration of an upstream proxy.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43464 ‼
📖 Read
via "National Vulnerability Database".
A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval().📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25569 ‼
📖 Read
via "National Vulnerability Database".
Bettini Srl GAMS Product Line v4.3.0 was discovered to re-use static SSH keys across installations, allowing unauthenticated attackers to login as root users via extracting a key from the software.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24813 ‼
📖 Read
via "National Vulnerability Database".
CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki's GitHub repository.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24814 ‼
📖 Read
via "National Vulnerability Database".
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.📖 Read
via "National Vulnerability Database".
🕴 How Do I Decide Whether to Buy or Build in Security? 🕴
📖 Read
via "Dark Reading".
To build or buy — that is the question. Security teams have to consider maintenance costs and compliance questions when they go down the build-it-yourself path.📖 Read
via "Dark Reading".
Dark Reading
How Do I Decide Whether to Buy or Build in Security?
To build or buy — that is the question. Security teams have to consider maintenance costs and compliance questions when they go down the build-it-yourself path.
🕴 Millions of Installations Potentially Vulnerable to Spring Framework Flaw 🕴
📖 Read
via "Dark Reading".
Internet scan indicates hundreds of thousands of vulnerable installations, while data from the major Java repository suggests millions, firms say.📖 Read
via "Dark Reading".
Dark Reading
Millions of Installations Potentially Vulnerable to Spring Framework Flaw
Internet scan indicates hundreds of thousands of vulnerable installations, while data from the major Java repository suggests millions, firms say.
âš LAPSUS$ hacks continue despite two UK hacker suspects in court âš
📖 Read
via "Naked Security".
Do you know where in your company to report security anomalies? If you receive such reports, do you have an efficient way to process them?📖 Read
via "Naked Security".
Naked Security
LAPSUS$ hacks continue despite two hacker suspects in court
Do you know where in your company to report security anomalies? If you receive such reports, do you have an efficient way to process them?
🕴 Apple Gift Card Scammers Sentenced for Role in $1.5M Fraud 🕴
📖 Read
via "Dark Reading".
Criminal conspiracy included theft of Apple point-of-sale devices.📖 Read
via "Dark Reading".
Dark Reading
Apple Gift Card Scammers Sentenced for Role in $1.5M Fraud
Criminal conspiracy included theft of Apple point-of-sale devices.
‼ CVE-2022-1233 ‼
📖 Read
via "National Vulnerability Database".
URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1174 ‼
📖 Read
via "National Vulnerability Database".
A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0740 ‼
📖 Read
via "National Vulnerability Database".
Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27609 ‼
📖 Read
via "National Vulnerability Database".
Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user to disable Forcepoint One Endpoint and the protection offered by it.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27649 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23700 ‼
📖 Read
via "National Vulnerability Database".
A local unauthorized read access to files vulnerability was discovered in HPE OneView version(s): Prior to 6.6. HPE has provided a software update to resolve this vulnerability in HPE OneView.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27650 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32985 ‼
📖 Read
via "National Vulnerability Database".
AVEVA System Platform versions 2017 through 2020 R2 P01 does not properly verify that the source of data or communication is valid.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32978 ‼
📖 Read
via "National Vulnerability Database".
The programming protocol allows for a previously entered password and lock state to be read by an attacker. If the previously entered password was successful, the attacker can then use the password to unlock Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32984 ‼
📖 Read
via "National Vulnerability Database".
All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27651 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.📖 Read
via "National Vulnerability Database".