🕴 Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL 🕴
📖 Read
via "Dark Reading".
Flaws gave attackers a way to access other cloud accounts and databases, security vendor says.📖 Read
via "Dark Reading".
Dark Reading
Microsoft Patches Pair of Dangerous Vulnerabilities in Azure PostgreSQL
Flaws gave attackers a way to access other cloud accounts and databases, security vendor says.
‼ CVE-2022-29555 ‼
📖 Read
via "National Vulnerability Database".
The Deviceconnect microservice through 1.3.0 in Northern.tech Mender Enterprise before 3.2.2. allows Cross-Origin Websocket Hijacking.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29081 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24449 ‼
📖 Read
via "National Vulnerability Database".
Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28477 ‼
📖 Read
via "National Vulnerability Database".
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28454 ‼
📖 Read
via "National Vulnerability Database".
Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24898 ‼
📖 Read
via "National Vulnerability Database".
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28060 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29556 ‼
📖 Read
via "National Vulnerability Database".
The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29904 ‼
📖 Read
via "National Vulnerability Database".
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29907 ‼
📖 Read
via "National Vulnerability Database".
The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29905 ‼
📖 Read
via "National Vulnerability Database".
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29906 ‼
📖 Read
via "National Vulnerability Database".
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29903 ‼
📖 Read
via "National Vulnerability Database".
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1531 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1526 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in Emlog Pro up to 1.2.2. This POST parameter handling of articles. The manipulation with the input <script>alert(1);</script> leads to cross site scripting. It is possible to initiate the attack remotely but it requires a signup and login by the attacker. The exploit has been disclosed to the public and may be used.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1530 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious JS on Application :)📖 Read
via "National Vulnerability Database".
🗓️ GitHub offers post-mortem on recent security breach 🗓️
📖 Read
via "The Daily Swig".
Tokens stollen and abused but problem has been contained📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GitHub offers post-mortem on recent security breach
Tokens stolen and abused but problem has been contained
❌ Cyberespionage APT Now Identified as Three Separate Actors ❌
📖 Read
via "Threat Post".
The threat group known as TA410 that wields the sophisticated FlowCloud RAT actually has three subgroups operating globally, each with their own toolsets and targets.📖 Read
via "Threat Post".
Threat Post
Cyberespionage APT Now Identified as Three Separate Actors
The threat group known as TA410 that wields the sophisticated FlowCloud RAT actually has three subgroups operating globally, each with their own toolsets and targets.
‼ CVE-2022-1533 ‼
📖 Read
via "National Vulnerability Database".
Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11. This vulnerability is capable of arbitrary code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1534 ‼
📖 Read
via "National Vulnerability Database".
Buffer Over-read at parse_rawml.c:1416 in GitHub repository bfabiszewski/libmobi prior to 0.11. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.📖 Read
via "National Vulnerability Database".