βΌ CVE-2022-29081 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24449 βΌ
π Read
via "National Vulnerability Database".
Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28477 βΌ
π Read
via "National Vulnerability Database".
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS).π Read
via "National Vulnerability Database".
βΌ CVE-2022-28454 βΌ
π Read
via "National Vulnerability Database".
Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS).π Read
via "National Vulnerability Database".
βΌ CVE-2022-24898 βΌ
π Read
via "National Vulnerability Database".
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28060 βΌ
π Read
via "National Vulnerability Database".
SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29556 βΌ
π Read
via "National Vulnerability Database".
The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29904 βΌ
π Read
via "National Vulnerability Database".
The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain '-' and '_' constraints.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29907 βΌ
π Read
via "National Vulnerability Database".
The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29905 βΌ
π Read
via "National Vulnerability Database".
The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29906 βΌ
π Read
via "National Vulnerability Database".
The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29903 βΌ
π Read
via "National Vulnerability Database".
The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension's configuration. The attacker must trigger a POST request to Special:PrivateDomains.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1531 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1526 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in Emlog Pro up to 1.2.2. This POST parameter handling of articles. The manipulation with the input <script>alert(1);</script> leads to cross site scripting. It is possible to initiate the attack remotely but it requires a signup and login by the attacker. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1530 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious JS on Application :)π Read
via "National Vulnerability Database".
ποΈ GitHub offers post-mortem on recent security breach ποΈ
π Read
via "The Daily Swig".
Tokens stollen and abused but problem has been containedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GitHub offers post-mortem on recent security breach
Tokens stolen and abused but problem has been contained
β Cyberespionage APT Now Identified as Three Separate Actors β
π Read
via "Threat Post".
The threat group known as TA410 that wields the sophisticated FlowCloud RAT actually has three subgroups operating globally, each with their own toolsets and targets.π Read
via "Threat Post".
Threat Post
Cyberespionage APT Now Identified as Three Separate Actors
The threat group known as TA410 that wields the sophisticated FlowCloud RAT actually has three subgroups operating globally, each with their own toolsets and targets.
βΌ CVE-2022-1533 βΌ
π Read
via "National Vulnerability Database".
Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11. This vulnerability is capable of arbitrary code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1534 βΌ
π Read
via "National Vulnerability Database".
Buffer Over-read at parse_rawml.c:1416 in GitHub repository bfabiszewski/libmobi prior to 0.11. The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.π Read
via "National Vulnerability Database".
ποΈ Data breach at US healthcare provider ARcare impacts 345,000 individuals ποΈ
π Read
via "The Daily Swig".
Sensitive medical and other personal data was potentially exposedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Data breach at US healthcare provider ARcare impacts 345,000 individuals
Sensitive medical and other personal data was potentially exposed
π΄ Ambient.ai Expands Computer Vision Capabilities for Better Building Security π΄
π Read
via "Dark Reading".
The AI startup releases new threat signatures to expand the computer vision platformβs ability to identify potential physical security incidents from camera feeds.π Read
via "Dark Reading".
Dark Reading
Ambient.ai Expands Computer Vision Capabilities for Better Building Security
The AI startup releases new threat signatures to expand the computer vision platformβs ability to identify potential physical security incidents from camera feeds.