βΌ CVE-2021-22795 βΌ
π Read
via "National Vulnerability Database".
A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)π Read
via "National Vulnerability Database".
βΌ CVE-2021-22794 βΌ
π Read
via "National Vulnerability Database".
A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)π Read
via "National Vulnerability Database".
βΌ CVE-2019-6834 βΌ
π Read
via "National Vulnerability Database".
A CWE-502: Deserialization of Untrusted Data vulnerability exists which could allow an attacker to execute arbitrary code on the targeted system with SYSTEM privileges when placing a malicious user to be authenticated for this vulnerability to be successfully exploited. Affected Product: Schneider Electric Software Update (SESU) SUT Service component (V2.1.1 to V2.3.0)π Read
via "National Vulnerability Database".
βΌ CVE-2022-0221 βΌ
π Read
via "National Vulnerability Database".
A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could result in information disclosure when opening a malicious solution file provided by an attacker with SCADAPack Workbench. This could be exploited to pass data from local files to a remote system controlled by an attacker. Affected Product: SCADAPack Workbench (6.6.8a and prior)π Read
via "National Vulnerability Database".
βΌ CVE-2015-20107 βΌ
π Read
via "National Vulnerability Database".
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).π Read
via "National Vulnerability Database".
βΌ CVE-2021-42136 βΌ
π Read
via "National Vulnerability Database".
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes Functionality of REDCap 11.2.5 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22797 βΌ
π Read
via "National Vulnerability Database".
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)π Read
via "National Vulnerability Database".
π΄ Securing the Stopgap: Controlling Access to SaaS Applications π΄
π Read
via "Dark Reading".
If enterprises continue to use emergency measures as long-term solutions, they must protect their IT estate.π Read
via "Dark Reading".
Darkreading
Securing the Stopgap: Controlling Access to SaaS Applications
If enterprises continue to use emergency measures as long-term solutions, they must protect their IT estate.
π΄ KKR to Acquire Barracuda Networks π΄
π Read
via "Dark Reading".
The transaction is anticipated to close by the end of the year.π Read
via "Dark Reading".
Dark Reading
KKR to Acquire Barracuda Networks
The transaction is anticipated to close by the end of the year.
π΄ Palo Alto Networks Extends SASE to Protect Home Networks With Okyo Garde Enterprise Edition π΄
π Read
via "Dark Reading".
Okyo Garde Enterprise Edition includes an option for at-home employees to create separate private and personal networks.π Read
via "Dark Reading".
Darkreading
Palo Alto Networks Extends SASE to Protect Home Networks With Okyo Garde Enterprise Edition
Okyo Garde Enterprise Edition includes an option for at-home employees to create separate private and personal networks.
βΌ CVE-2022-24828 βΌ
π Read
via "National Vulnerability Database".
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24844 βΌ
π Read
via "National Vulnerability Database".
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur. Users must: Require JWT loginΓΒ―ΓΒΌΓ’β¬Β° and be using PostgreSQL to be affected. This issue has been resolved in version 2.5.1. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24818 βΌ
π Read
via "National Vulnerability Database".
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24816 βΌ
π Read
via "National Vulnerability Database".
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.π Read
via "National Vulnerability Database".
π΄ Secure Systems Need Hardware-Enhanced Tools, Intel Says π΄
π Read
via "Dark Reading".
A new Intel study finds that while adoption of hardware-assisted security is still low, there is a lot of interest in how it can secure system layers such as the operating system and hypervisor.π Read
via "Dark Reading".
Darkreading
Secure Systems Need Hardware-Enhanced Tools, Intel Says
A new Intel study finds that while adoption of hardware-assisted security is still low, there is a lot of interest in how it can secure system layers such as the operating system and hypervisor.
βΌ CVE-2022-24845 βΌ
π Read
via "National Vulnerability Database".
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In affected versions, the return of `<iface>.returns_int128()` is not validated to fall within the bounds of `int128`. This issue can result in a misinterpretation of the integer value and lead to incorrect behavior. As of v0.3.0, `<iface>.returns_int128()` is validated in simple expressions, but not complex expressions. Users are advised to upgrade. There is no known workaround for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43154 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24847 βΌ
π Read
via "National Vulnerability Database".
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24843 βΌ
π Read
via "National Vulnerability Database".
Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Gin-vue-admin 2.50 has arbitrary file read vulnerability due to a lack of parameter validation. This has been resolved in version 2.5.1. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1350 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in Ghostscript 9.55.0. This vulnerability affects the function chunk_free_object of the file gsmchunk.c. The manipulation with a malicious file leads to a memory corruption. The attack can be initiated remotely but requires user interaction. The exploit has been disclosed to the public as a POC and may be used. It is recommended to apply the patches to fix this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1279 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the encryption implementation of EBICS messages in the open source librairy ebics-java/ebics-java-client allows an attacker sniffing network traffic to decrypt EBICS payloads. This issue affects: ebics-java/ebics-java-client versions prior to 1.2.π Read
via "National Vulnerability Database".
π2