โผ CVE-2022-24881 โผ
๐ Read
via "National Vulnerability Database".
Ballcat Codegen provides the function of online editing code to generate templates. In versions prior to 1.0.0.beta.2, attackers can implement remote code execution through malicious code injection of the template engine. This happens because Velocity and freemarker templates are introduced but input verification is not done. The fault is rectified in version 1.0.0.beta.2.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24883 โผ
๐ Read
via "National Vulnerability Database".
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left.๐ Read
via "National Vulnerability Database".
๐ด The Ins and Outs of Secure Infrastructure as Code ๐ด
๐ Read
via "Dark Reading".
The move to IaC has its challenges but done right can fundamentally improve an organization's overall security posture.๐ Read
via "Dark Reading".
Dark Reading
The Ins and Outs of Secure Infrastructure as Code
The move to IaC has its challenges but done right can fundamentally improve an organization's overall security posture.
๐ Post-Lapsus$, HHS Warns Healthcare Industry of Insider Threat Risks ๐
๐ Read
via "".
Following last month's Lapsus$ hacks, federal authorities are reminding healthcare organizations about the danger of insider threats.๐ Read
via "".
Digital Guardian
Post-Lapsus$, HHS Warns Healthcare Industry of Insider Threat Risks
Following last month's Lapsus$ hacks, federal authorities are reminding healthcare organizations about the danger of insider threats.
โผ CVE-2021-26628 โผ
๐ Read
via "National Vulnerability Database".
Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2021-36895 โผ
๐ Read
via "National Vulnerability Database".
Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-26629 โผ
๐ Read
via "National Vulnerability Database".
A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern รขโฌห..\รขโฌโข.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-27854 โผ
๐ Read
via "National Vulnerability Database".
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher role via &wpt_test_page_submit_button_caption parameter.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-36867 โผ
๐ Read
via "National Vulnerability Database".
Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-1466 โผ
๐ Read
via "National Vulnerability Database".
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28218 โผ
๐ Read
via "National Vulnerability Database".
An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24866 โผ
๐ Read
via "National Vulnerability Database".
Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could view assignment info, which is limited to staff by default. For the vast majority of sites, this data was only leaked to trusted staff member, but for sites with assign features enabled publicly, the data was accessible to more people than just staff. Version 1.0.1 contains a patch. There are currently no known workarounds.๐ Read
via "National Vulnerability Database".
๐ด Tenable Acquires External Attack Surface Management Vendor for $44.5M ๐ด
๐ Read
via "Dark Reading".
Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.๐ Read
via "Dark Reading".
Dark Reading
Tenable Acquires External Attack Surface Management Vendor for $44.5M
Acquisition will add Internet-facing attack surface mapping and monitoring to Tenable's internal asset management products.
โผ CVE-2022-28528 โผ
๐ Read
via "National Vulnerability Database".
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28525 โผ
๐ Read
via "National Vulnerability Database".
ED01-CMS v20180505 was discovered to contain an arbitrary file upload vulnerability via /admin/users.php?source=edit_user&id=1.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28521 โผ
๐ Read
via "National Vulnerability Database".
ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28522 โผ
๐ Read
via "National Vulnerability Database".
ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28523 โผ
๐ Read
via "National Vulnerability Database".
HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28059 โผ
๐ Read
via "National Vulnerability Database".
Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\database_controller.php.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28450 โผ
๐ Read
via "National Vulnerability Database".
nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28918 โผ
๐ Read
via "National Vulnerability Database".
GreenCMS v2.3.0603 was discovered to contain an arbitrary file deletion vulnerability via /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name=.๐ Read
via "National Vulnerability Database".