ā¼ CVE-2022-24272 ā¼
š Read
via "National Vulnerability Database".
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-1420 ā¼
š Read
via "National Vulnerability Database".
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.š Read
via "National Vulnerability Database".
ā Critical cryptographic Java security blunder patched ā update now! ā
š Read
via "Naked Security".
Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.š Read
via "Naked Security".
Sophos News
Naked Security ā Sophos News
š“ Adversaries Look for "Attackability" When Selecting Targets š“
š Read
via "Dark Reading".
A large number of enterprise applications are affected by the vulnerability in log4j, but adversaries aren't just looking for the most common applications. They are looking for targets that are easier to exploit and/or have the biggest payoff.š Read
via "Dark Reading".
Dark Reading
Adversaries Look for 'Attackability' When Selecting Targets
A large number of enterprise applications are affected by the vulnerability in Log4j, but adversaries aren't just looking for the most common applications. They are looking for targets that are easier to exploit and/or have the biggest payoff.
ā S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and cryptododginess [Podcast] ā
š Read
via "Naked Security".
Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode - listen now!š Read
via "Naked Security".
Naked Security
S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast]
Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode ā listen now!
š“ 3 Ways We Can Improve Cybersecurity š“
š Read
via "Dark Reading".
To better manage risks, companies can concentrate on resilience, sharing information to protect from cyber threats, and making the cybersecurity tent bigger by looking at workers with nontraditional skill sets.š Read
via "Dark Reading".
Dark Reading
3 Ways We Can Improve Cybersecurity
To better manage risks, companies can concentrate on resilience, sharing information to protect from cyber threats, and making the cybersecurity tent bigger by looking at workers with nontraditional skill sets.
šļø Hack Me, Iām Famous: Bug bounty hackathon nets security researcher ā¬10,000 overnight šļø
š Read
via "The Daily Swig".
European event saw 40 researchers team up to find bugsš Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
š Suricata IDPE 6.0.5 š
š Read
via "Packet Storm Security".
Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.š Read
via "Packet Storm Security".
Packetstormsecurity
Suricata IDPE 6.0.5 ā Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
ā¼ CVE-2022-1022 ā¼
š Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.š Read
via "National Vulnerability Database".
š“ Alert Logic Releases MDR Incident Response Capability for Addressing a Breach š“
š Read
via "Dark Reading".
Seedrs Ltd. deployed and configured Alert Logic Intelligent Response in minutes, and immediately began blocking critical threats.š Read
via "Dark Reading".
Dark Reading
Alert Logic Releases MDR Incident Response Capability for Addressing a Breach
Seedrs Ltd. deployed and configured Alert Logic Intelligent Response in minutes, and immediately began blocking critical threats.
ā¼ CVE-2022-0272 ā¼
š Read
via "National Vulnerability Database".
Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-24868 ā¼
š Read
via "National Vulnerability Database".
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-24870 ā¼
š Read
via "National Vulnerability Database".
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.š Read
via "National Vulnerability Database".
ā¼ CVE-2021-41161 ā¼
š Read
via "National Vulnerability Database".
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.š Read
via "National Vulnerability Database".
ā¼ CVE-2021-41162 ā¼
š Read
via "National Vulnerability Database".
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-24867 ā¼
š Read
via "National Vulnerability Database".
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-24869 ā¼
š Read
via "National Vulnerability Database".
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-22436 ā¼
š Read
via "National Vulnerability Database".
IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224164.š Read
via "National Vulnerability Database".
ā¼ CVE-2022-22435 ā¼
š Read
via "National Vulnerability Database".
IBM Maximo Asset Management 7.6.1.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.š Read
via "National Vulnerability Database".
š“ Cybereason Launches Digital Forensics Incident Response š“
š Read
via "Dark Reading".
Cybereason MalOp Detection Engine augmented with Nuanced DFIR Intelligence reduces the mean-time-to-detect and remediate incidents.š Read
via "Dark Reading".
Dark Reading
Cybereason Launches Digital Forensics Incident Response
Cybereason MalOp Detection Engine augmented with Nuanced DFIR Intelligence reduces the mean-time-to-detect and remediate incidents.
š“ UntitledNew Zscaler Research Shows Over 400% Increase in Phishing Attacks With Retail and Wholesale Industries at Greatest Risk š“
š Read
via "Dark Reading".
Annual ThreatLabz Report reveals phishing-as-a-service as the key source of attacks across critical industries and consumers globally; underscores urgency to adopt a zero-trust security model.š Read
via "Dark Reading".
Dark Reading
New Zscaler Research Shows Over 400% Increase in Phishing Attacks With Retail and Wholesale Industries at Greatest Risk
Annual ThreatLabz Report reveals phishing-as-a-service as the key source of attacks across critical industries and consumers globally; underscores urgency to adopt a zero-trust security model.