βΌ CVE-2022-28440 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28432 βΌ
π Read
via "National Vulnerability Database".
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28028 βΌ
π Read
via "National Vulnerability Database".
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/classes/Master.php?f=delete_amenity.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28422 βΌ
π Read
via "National Vulnerability Database".
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.π Read
via "National Vulnerability Database".
π΄ Zero-Day Exploit Use Exploded in 2021 π΄
π Read
via "Dark Reading".
Ransomware and other financially motivated threat actors joined nation-state-backed groups in leveraging unpatched flaws in attack campaigns, new data shows.π Read
via "Dark Reading".
Dark Reading
Zero-Day Exploit Use Exploded in 2021
Ransomware and other financially motivated threat actors joined nation-state-backed groups in leveraging unpatched flaws in attack campaigns, new data shows.
βΌ CVE-2022-29577 βΌ
π Read
via "National Vulnerability Database".
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28366 βΌ
π Read
via "National Vulnerability Database".
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29280 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-28366. Reason: This candidate is a reservation duplicate of CVE-2022-28366. Notes: All CVE users should reference CVE-2022-28366 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28367 βΌ
π Read
via "National Vulnerability Database".
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1429 βΌ
π Read
via "National Vulnerability Database".
SQL injection in GridHelperService.php in GitHub repository pimcore/pimcore prior to 10.3.6. This vulnerability is capable of steal the dataπ Read
via "National Vulnerability Database".
βΌ CVE-2022-26672 βΌ
π Read
via "National Vulnerability Database".
ASUS WebStorage has a hardcoded API Token in the APP source code. An unauthenticated remote attacker can use this token to establish connections with the server and carry out login attempts to general user accounts. A successful login to a general user account allows the attacker to access, modify or delete this user account information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26673 βΌ
π Read
via "National Vulnerability Database".
ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting (XSS) attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26674 βΌ
π Read
via "National Vulnerability Database".
ASUS RT-AX88U has a Format String vulnerability, which allows an unauthenticated remote attacker to write to arbitrary memory address and perform remote arbitrary code execution, arbitrary system operation or disrupt service.π Read
via "National Vulnerability Database".
β Skeletons in the Closet: Security 101 Takes a Backseat to 0-days β
π Read
via "Threat Post".
Nate Warfield, CTO at Prevailion, discusses the dangers of focusing on zero-day security vulnerabilities, and how security teams are being distracted from the day-to-day work that prevents most breaches.π Read
via "Threat Post".
Threat Post
Skeletons in the Closet: Security 101 Takes a Backseat to 0-days
Nate Warfield, CTO at Prevailion, discusses the dangers of focusing on zero-day security vulnerabilities, and how security teams are being distracted from the day-to-day work that prevents most breaches.
π1
β Zero-Trust For All: A Practical Guide β
π Read
via "Threat Post".
How to use zero-trust architecture effectively in today's modern cloud-dependent infrastructures.π Read
via "Threat Post".
Threat Post
Zero-Trust For All: A Practical Guide
How to use zero-trust architecture effectively in today's modern cloud-dependent infrastructures.
β S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast] β
π Read
via "Naked Security".
Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast]
Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode β listen now!
π1
βοΈ Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code βοΈ
π Read
via "Krebs on Security".
KrebsOnSecurity recently reviewed a copy of the private chat messages between members of the LAPSUS$ cybercrime group in the week leading up to the arrest of its most active members last month. The logs show LAPSUS$ breached T-Mobile multiple times in March, stealing source code for a range of company projects. T-Mobile says no customer or government information was stolen in the intrusion. LAPSUS$ is known for stealing data and then demanding a ransom not to publish or sell it. But the leaked chats indicate this mercenary activity was of little interest to the tyrannical teenage leader of LAPSUS$, whose obsession with stealing and leaking proprietary computer source code from the worldβs largest tech companies ultimately led to the groupβs undoing.π Read
via "Krebs on Security".
Krebs on Security
Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code
KrebsOnSecurity recently reviewed a copy of the private chat messages between members of the LAPSUS$ cybercrime group in the week leading up to the arrest of its most active members last month. The logs show LAPSUS$ breached T-Mobile multiple timesβ¦
ποΈ Vulnerability in AWS Log4Shell hot patch allowed full host takeover ποΈ
π Read
via "The Daily Swig".
Critical security issues found in quick fixπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Hot patch for Log4Shell vulnerability in AWS allowed full host takeover
Critical security issues found in quick fix
π΄ Creating Cyberattack Resilience in Modern Education Environments π΄
π Read
via "Dark Reading".
From increasing cybersecurity awareness in staff, students, and parents to practicing good security hygiene for devices, using endpoint protection, and inspecting network traffic, schools can boost cybersecurity to keep students safe.π Read
via "Dark Reading".
Dark Reading
Creating Cyberattack Resilience in Modern Education Environments
From increasing cybersecurity awareness in staff, students, and parents to practicing good security hygiene for devices, using endpoint protection, and inspecting network traffic, schools can boost cybersecurity to keep students safe.
π Zeek 4.2.1 π
π Read
via "Packet Storm Security".
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
Zeek 4.2.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π1
ποΈ Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms ποΈ
π Read
via "The Daily Swig".
Industrial control insecurity laid bare during competitionπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.