‼ CVE-2021-44366 ‼
📖 Read
via "National Vulnerability Database".
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44356 ‼
📖 Read
via "National Vulnerability Database".
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27848 ‼
📖 Read
via "National Vulnerability Database".
Authenticated (admin+ user) Stored Cross-Site Scripting (XSS) in Modern Events Calendar Lite (WordPress plugin) <= 6.5.1📖 Read
via "National Vulnerability Database".
‼ CVE-2022-21154 ‼
📖 Read
via "National Vulnerability Database".
An integer overflow vulnerability exists in the fltSaveCMP functionality of Leadtools 22. A specially-crafted BMP file can lead to an integer overflow, that in turn causes a buffer overflow. An attacker can provide a malicious BMP file to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22968 ‼
📖 Read
via "National Vulnerability Database".
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44394 ‼
📖 Read
via "National Vulnerability Database".
Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
🕴 greymatter.io Closes $7.1 Million Series A to Meet Rising Need for Its Enterprise Microservices Platform 🕴
📖 Read
via "Dark Reading".
Elsewhere Partners invests in proven service mesh and API management innovator as it grows team and breaks into new markets.📖 Read
via "Dark Reading".
Dark Reading
greymatter.io Closes $7.1 Million Series A to Meet Rising Need for Its Enterprise Microservices Platform
Elsewhere Partners invests in proven service mesh and API management innovator as it grows team and breaks into new markets.
🕴 Kaspersky Relocates Cyberthreat-Related Data Processing for Users in Latin America and Middle East to Switzerland 🕴
📖 Read
via "Dark Reading".
Also, it re-certifies its data services by TÜV AUSTRIA.📖 Read
via "Dark Reading".
Dark Reading
Kaspersky Relocates Cyberthreat-Related Data Processing for Users in Latin America and Middle East to Switzerland
Also, it re-certifies its data services by TÜV AUSTRIA.
‼ CVE-2022-24853 ‼
📖 Read
via "National Vulnerability Database".
Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an `NTLM relay attack`, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24849 ‼
📖 Read
via "National Vulnerability Database".
DisCatSharp is a Discord API wrapper for .NET. Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two `RequireDisCatSharpDeveloperAttribute`s or the `BaseDiscordClient.LibraryDeveloperTeam` have potentially had their bot token sent to a web server not affiliated with Discord. This server is owned and operated by DisCatSharp's development team. The tokens were not logged, yet it is still advisable to reset the tokens of potentially affected bots. 9.9.1 has been released to patch the issue for the current stable release and the current 10.0.0 prereleases are also no longer affected. Users unable to upgrade should remove all uses of the two `RequireDisCatSharpDeveloperAttribute`s and all direct calls to `BaseDiscordClient.LibraryDeveloperTeam`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24855 ‼
📖 Read
via "National Vulnerability Database".
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24846 ‼
📖 Read
via "National Vulnerability Database".
GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24824 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown the crawler view of the site instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24850 ‼
📖 Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. A category's group permissions settings can be viewed by anyone that has access to the category. As a result, a normal user is able to see whether a group has read/write permissions in the category even though the information should only be available to the users that can manage a category. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are no workarounds for this problem.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24854 ‼
📖 Read
via "National Vulnerability Database".
Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called `ATTACH DATABASE`, which allows connecting multiple SQLite databases via the initial connection. If the attacker has SQL permissions to at least one SQLite database, then it can attach this database to a second database, and then it can query across all the tables. To be able to do that the attacker also needs to know the file path to the second database. Users are advised to upgrade as soon as possible. If you're unable to upgrade, you can modify your SQLIte connection strings to contain the url argument `?limit_attached=0`, which will disallow making connections to other SQLite databases. Only users making use of SQLite are affected.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26499 ‼
📖 Read
via "National Vulnerability Database".
An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-26651 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28345 ‼
📖 Read
via "National Vulnerability Database".
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26498 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40386 ‼
📖 Read
via "National Vulnerability Database".
Kaseya Unitrends Client/Agent through 10.5,5 allows remote attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".
🕴 Cybersecurity Act of 2022: A Step in the Right Direction With a Significant Loophole 🕴
📖 Read
via "Dark Reading".
The act contains a loophole added late in the process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.📖 Read
via "Dark Reading".
Dark Reading
Cybersecurity Act of 2022: A Step in the Right Direction With a Significant Loophole
The act contains a loophole added late in the process that will impede progress toward the goal of increasing US cybersecurity: a complete carve-out of DNS from the reporting requirements and other obligations outlined in the bill.