π΄ The Modern Software Supply Chain: How It's Evolved and What to Prepare For π΄
π Read
via "Dark Reading".
Supply chain security attacks have been becoming increasingly common and more sophisticated. Find out how to remain secure throughout the software supply chain.π Read
via "Dark Reading".
Dark Reading
The Modern Software Supply Chain: How It's Evolved and What to Prepare For
Supply chain security attacks have been becoming increasingly common and more sophisticated. Find out how to remain secure throughout the software supply chain.
βΌ CVE-2022-0540 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24871 βΌ
π Read
via "National Vulnerability Database".
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24864 βΌ
π Read
via "National Vulnerability Database".
Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to `/presale/join`. User-controlled data is passed with no sanitization to SendGrid and injected into an email that is delivered to the founders@originprotocol.com. If the email recipient is using an email program that is susceptible to XSS, then that email recipient will receive an email that may contain malicious XSS. Regardless if the email recipientΓ’β¬β’s mail program has vulnerabilities or not, the hacker can at the very least inject malicious HTML that modifies the body content of the email. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24799 βΌ
π Read
via "National Vulnerability Database".
wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown Γ’β¬Εcode highlightingΓ’β¬οΏ½ in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** and is already deployed on all Wire managed services. * On-premise instances of wire-webapp need to be updated to docker tag **2022-03-30-production.0-v0.29.2-0-d144552** or wire-server **2022-03-30 (chart/4.8.0)**, so that their applications are no longer affected. ### Workarounds * No workarounds known ### For more information If you have any questions or comments about this advisory feel free to email us at [vulnerability-report@wire.com](mailto:vulnerability-report@wire.com) ### Credits We thank [Posix](https://twitter.com/po6ix) for reporting this vulnerabilityπ Read
via "National Vulnerability Database".
βΌ CVE-2022-24861 βΌ
π Read
via "National Vulnerability Database".
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has remote code execution vulnerability. JDBC drivers are not validated prior to use and may be provided by users of the system. This can lead to code execution by any basic user who has access to the system. Users are advised to upgrade. There are no known workarounds to this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26133 βΌ
π Read
via "National Vulnerability Database".
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24862 βΌ
π Read
via "National Vulnerability Database".
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Server-Side Request Forgery vulnerability. During the download verification process of a JDBC driver the corresponding JDBC driver download address will be downloaded first, but this address will return a response page with complete error information when accessing a non-existent URL. Attackers can take advantage of this feature for SSRF.π Read
via "National Vulnerability Database".
π΄ Denonia Malware Shows Evolving Cloud Threats π΄
π Read
via "Dark Reading".
Cloud security is constantly evolving and consistently different than defending on-premises assets. Denonia, a recently discovered serverless cryptominer drives home the point.π Read
via "Dark Reading".
Dark Reading
Denonia Malware Shows Evolving Cloud Threats
Cloud security is constantly evolving and consistently different than defending on-premises assets. Denonia, a recently discovered serverless cryptominer drives home the point.
π΄ Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls π΄
π Read
via "Dark Reading".
Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.π Read
via "Dark Reading".
Dark Reading
Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls
Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.
βΌ CVE-2021-37740 βΌ
π Read
via "National Vulnerability Database".
A denial of service vulnerability exists in MDT's firmware for the KNXnet/IP Secure router SCN-IP100.03 and KNX IP interface SCN-IP000.03 before v3.0.4, that allows a remote attacker to turn the device unresponsive to all requests on the KNXnet/IP Secure layer, until the device is rebooted, via a SESSION_REQUEST frame with a modified total length field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24872 βΌ
π Read
via "National Vulnerability Database".
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24865 βΌ
π Read
via "National Vulnerability Database".
HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43481 βΌ
π Read
via "National Vulnerability Database".
An SQL Injection vulnerability exists in Webtareas 2.4p3 and earlier via the $uq HTTP POST parameter in editapprovalstage.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24874 βΌ
π Read
via "National Vulnerability Database".
acs commons is an open source framework for AEM projects. ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html` endpoint via the `a` and `b` GET parameters. User input submitted via these parameters is not validated or sanitized. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. This issue has been resolved in 5.2.0. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
π΄ LinkedIn Brand Now the Most Abused in Phishing Attempts π΄
π Read
via "Dark Reading".
New research shows threat actors increasingly leveraging social networks for attacks, with LinkedIn being used in 52% of global phishing attacks.π Read
via "Dark Reading".
Dark Reading
LinkedIn Brand Now the Most Abused in Phishing Attempts
New research shows threat actors increasingly leveraging social networks for attacks, with LinkedIn being used in 52% of global phishing attacks.
π΄ Anti-Fraud Partnership Brings Confidential Computing to Financial Services π΄
π Read
via "Dark Reading".
Intel, FiVerity, and Fortanix team up to launch an AI-driven fraud detection platform into a confidential computing environment.π Read
via "Dark Reading".
Dark Reading
Anti-Fraud Partnership Brings Confidential Computing to Financial Services
Intel, FiVerity, and Fortanix team up to launch an AI-driven fraud detection platform into a confidential computing environment.
βΌ CVE-2022-29530 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29531 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29532 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29534 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in MISP before 2.4.158. In UsersController.php, password confirmation can be bypassed via vectors involving an "Accept: application/json" header.π Read
via "National Vulnerability Database".