βΌ CVE-2022-27135 βΌ
π Read
via "National Vulnerability Database".
xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28506 βΌ
π Read
via "National Vulnerability Database".
There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27428 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in /index.php/album/add of GalleryCMS v2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the album_name parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28586 βΌ
π Read
via "National Vulnerability Database".
XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27103 βΌ
π Read
via "National Vulnerability Database".
element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27429 βΌ
π Read
via "National Vulnerability Database".
Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27311 βΌ
π Read
via "National Vulnerability Database".
Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36460 βΌ
π Read
via "National Vulnerability Database".
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28053 βΌ
π Read
via "National Vulnerability Database".
Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
π΄ Trend Micro Launches New Security Platform π΄
π Read
via "Dark Reading".
An ecosystem of native and third-party integrations provides visibility and control across the entire attack surface.π Read
via "Dark Reading".
Dark Reading
Trend Micro Launches New Security Platform
An ecosystem of native and third-party integrations provides visibility and control across the entire attack surface.
ποΈ IBM database updates address critical vulnerabilities in third-party XML parser ποΈ
π Read
via "The Daily Swig".
Flaws in popular parser prompt updates from numerous downstream vendorsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
IBM database updates address critical vulnerabilities in third-party XML parser
Flaws in popular parser prompt updates from numerous downstream vendors
π1
β QNAP warns of new bugs in its Network Attached Storage devices β
π Read
via "Naked Security".
Here's what you need to know - plus some sensible advice for all the devices on your home or small biz network!π Read
via "Naked Security".
Naked Security
QNAP warns of new bugs in its Network Attached Storage devices
Hereβs what you need to know β plus some sensible advice for all the devices on your home or small biz network!
βΌ CVE-2022-28093 βΌ
π Read
via "National Vulnerability Database".
SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29078 βΌ
π Read
via "National Vulnerability Database".
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).π Read
via "National Vulnerability Database".
βΌ CVE-2022-28094 βΌ
π Read
via "National Vulnerability Database".
SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the fid parameter at booking.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26111 βΌ
π Read
via "National Vulnerability Database".
The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.π Read
via "National Vulnerability Database".
β Phishing goes KISS: Donβt let plain and simple messages catch you out! β
π Read
via "Naked Security".
Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because they're uncomplicated.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Ukraine Invasion Driving DDoS Attacks to All-Time Highs π΄
π Read
via "Dark Reading".
Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.π Read
via "Dark Reading".
Dark Reading
Ukraine Invasion Driving DDoS Attacks to All-Time Highs
Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.
π1
βΌ CVE-2022-0953 βΌ
π Read
via "National Vulnerability Database".
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode charactersπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0398 βΌ
π Read
via "National Vulnerability Database".
The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary websiteπ Read
via "National Vulnerability Database".
βΌ CVE-2022-26597 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.π Read
via "National Vulnerability Database".