π Friday Five 4/15 π
π Read
via "".
In this weekβs Friday Five, catch up on the latest attacks from Russian and North Korean hackers, a shocking report on businessesβ willingness to prioritize security, why consumers are caring less about their own security, and more!π Read
via "".
Digital Guardian
Friday Five 4/15
In this weekβs Friday Five, catch up on the latest attacks from Russian and North Korean hackers, a shocking report on businessesβ willingness to prioritize security, why consumers are caring less about their own security, and more!
βΌ CVE-2022-27427 βΌ
π Read
via "National Vulnerability Database".
A zero-code remote code injection vulnerability via configuration.php in Chamilo LMS v1.11.13 allows attackers to upload arbitrary code in the form of a new plugin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29072 βΌ
π Read
via "National Vulnerability Database".
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27423 βΌ
π Read
via "National Vulnerability Database".
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27426 βΌ
π Read
via "National Vulnerability Database".
A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27422 βΌ
π Read
via "National Vulnerability Database".
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24279 βΌ
π Read
via "National Vulnerability Database".
The package madlib-object-utils before 0.1.8 are vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. *Note:* This vulnerability derives from an incomplete fix of [CVE-2020-7701](https://security.snyk.io/vuln/SNYK-JS-MADLIBOBJECTUTILS-598676)π Read
via "National Vulnerability Database".
βΌ CVE-2022-27425 βΌ
π Read
via "National Vulnerability Database".
Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27421 βΌ
π Read
via "National Vulnerability Database".
Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29281 βΌ
π Read
via "National Vulnerability Database".
Notable before 1.9.0-beta.8 doesn't effectively prevent the opening of executable files when clicking on a link. There is improper validation of the file URI scheme. A hyperlink to an SMB share could lead to execution of an arbitrary program (or theft of NTLM credentials via an SMB relay attack, because the application resolves UNC paths).π Read
via "National Vulnerability Database".
π΄ Google Emergency Update Fixes Chrome Zero-Day π΄
π Read
via "Dark Reading".
Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.π Read
via "Dark Reading".
Dark Reading
Google Emergency Update Fixes Chrome Zero-Day
Google patches a critical flaw in its Chrome browser, bringing its count of zero-day vulnerabilities fixed in 2022 to four.
βΌ CVE-2022-1365 βΌ
π Read
via "National Vulnerability Database".
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.π Read
via "National Vulnerability Database".
β Yet another Chrome zero-day emergency update β patch now! β
π Read
via "Naked Security".
The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.π Read
via "Naked Security".
π1
βΌ CVE-2022-29020 βΌ
π Read
via "National Vulnerability Database".
ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29287 βΌ
π Read
via "National Vulnerability Database".
Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability. It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. The exported XML contains every option of the exported user (even the hashed password).π Read
via "National Vulnerability Database".
π΄ Upgrades for Spring Framework Have Stalled π΄
π Read
via "Dark Reading".
Upgrading and fixing the vulnerability in the Spring Framework doesn't seem to have the same level of urgency or energy as patching the Log4j library did back in Decemberπ Read
via "Dark Reading".
Dark Reading
Upgrades for Spring Framework Have Stalled
Upgrading and fixing the vulnerability in the Spring Framework doesn't seem to have the same level of urgency or energy as patching the Log4j library did back in December.
π1
π’ Cloud security market to hit $106 billion by 2029 π’
π Read
via "ITPro".
The Asian-Pacific region is expected to see the highest growth rate over the forecast periodπ Read
via "ITPro".
IT PRO
Cloud security market to hit $106 billion by 2029 | IT PRO
The Asian-Pacific region is expected to see the highest growth rate over the forecast period
π’ Authorities finally confirm leading hacker platform RaidForums has been seized π’
π Read
via "ITPro".
A 21-year-old was arrested in the UK in connection with the prolific hacker platformπ Read
via "ITPro".
IT PRO
Authorities finally confirm leading hacker platform RaidForums has been seized | IT PRO
A 21-year-old was arrested in the UK in connection with the prolific hacker platform
π’ Denonia named as first malware to target AWS Lambda platform π’
π Read
via "ITPro".
Deployment demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, Cado Security saysπ Read
via "ITPro".
IT PRO
Denonia named as first malware to target AWS Lambda platform | IT PRO
Deployment demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, Cado Security says
π’ DuckDuckGo app arrives on Mac π’
π Read
via "ITPro".
New browser app comes with a cookie popup blocker and a password managerπ Read
via "ITPro".
IT PRO
DuckDuckGo app arrives on Mac | IT PRO
New browser app comes with a cookie popup blocker and a password manager
π’ Ransomware activity falls 25% in Q1 2022 π’
π Read
via "ITPro".
The drop in ransomware has been attributed to larger ransomware gangs being less active compared to the end of 2021π Read
via "ITPro".
IT PRO
Ransomware activity falls 25% in Q1 2022 | IT PRO
The drop in ransomware has been attributed to larger ransomware gangs being less active compared to the end of 2021