π΄ Log4j Attack Surface Remains Massive π΄
π Read
via "Dark Reading".
Four months after the Log4Shell vulnerability was disclosed, most affected open source components remain unpatched, and companies continue to use vulnerable versions of the logging tool.π Read
via "Dark Reading".
Dark Reading
Log4j Attack Surface Remains Massive
Four months after the Log4Shell vulnerability was disclosed, most affected open source components remain unpatched, and companies continue to use vulnerable versions of the logging tool.
βΌ CVE-2022-26564 βΌ
π Read
via "National Vulnerability Database".
HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27888 βΌ
π Read
via "National Vulnerability Database".
Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in Fixed in 2.249.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27331 βΌ
π Read
via "National Vulnerability Database".
An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27332 βΌ
π Read
via "National Vulnerability Database".
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service (DoS).π Read
via "National Vulnerability Database".
βΌ CVE-2022-28085 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in the function pdf_write_names in ps-pdf.cxx may lead to arbitrary code execution and Denial of Service (DoS).π Read
via "National Vulnerability Database".
βΌ CVE-2022-29700 βΌ
π Read
via "National Vulnerability Database".
A lack of password length restriction in Zammad v5.1.0 allows for the creation of extremely long passwords which can cause a Denial of Service (DoS) during password verification.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41041 βΌ
π Read
via "National Vulnerability Database".
In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29701 βΌ
π Read
via "National Vulnerability Database".
A lack of rate limiting in the 'forgot password' feature of Zammad v5.1.0 allows attackers to send an excessive amount of reset requests for a legitimate user, leading to a possible Denial of Service (DoS) via a large amount of generated e-mail messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1503 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in GetSimple CMS. Affected by this issue is the file /admin/edit.php of the Content Module. The manipulation of the argument post-content with an input like <script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely but requires authentication. Expoit details have been disclosed within the advisory.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29810 βΌ
π Read
via "National Vulnerability Database".
The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.π Read
via "National Vulnerability Database".
β Phishing goes KISS: Donβt let plain and simple messages catch you out! β
π Read
via "Naked Security".
Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because they're uncomplicated.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Millions of Java Apps Remain Vulnerable to Log4Shell β
π Read
via "Threat Post".
Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.π Read
via "Threat Post".
Threat Post
Millions of Java Apps Remain Vulnerable to Log4Shell
Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.
βΌ CVE-2022-1504 βΌ
π Read
via "National Vulnerability Database".
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46441 βΌ
π Read
via "National Vulnerability Database".
In the "webupg" binary of D-Link DIR-825 G1, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system commands after obtaining authorization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46442 βΌ
π Read
via "National Vulnerability Database".
In the "webupg" binary of D-Link DIR-825 G1, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46421 βΌ
π Read
via "National Vulnerability Database".
Franklin Fueling Systems FFS T5 Series 1.8.7.7299 is affected by an unauthenticated directory traversal vulnerability, which allows an attacker to obtain sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46420 βΌ
π Read
via "National Vulnerability Database".
Franklin Fueling Systems FFS TS-550 evo 2.23.4.8936 is affected by an unauthenticated directory traversal vulnerability, which allows an attacker to obtain sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46423 βΌ
π Read
via "National Vulnerability Database".
Telesquare TLR-2005KSH 1.0.0 is affected by an unauthenticated file download vulnerability that allows a remote attacker to download a full configuration file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46422 βΌ
π Read
via "National Vulnerability Database".
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46424 βΌ
π Read
via "National Vulnerability Database".
Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request.π Read
via "National Vulnerability Database".