βΌ CVE-2021-4206 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1403 βΌ
π Read
via "National Vulnerability Database".
ASDA-Soft: Version 5.4.1.0 and prior does not properly sanitize input while processing a specific project file, allowing a possible out-of-bounds write condition.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43938 βΌ
π Read
via "National Vulnerability Database".
Elcomplus SmartPTT SCADA Server is vulnerable to an unauthenticated user can request various files from the server without any authentication or authorization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36207 βΌ
π Read
via "National Vulnerability Database".
Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.π Read
via "National Vulnerability Database".
π΄ Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded π΄
π Read
via "Dark Reading".
This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.π Read
via "Dark Reading".
Dark Reading
Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded
This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.
βΌ CVE-2022-1543 βΌ
π Read
via "National Vulnerability Database".
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.π Read
via "National Vulnerability Database".
π΄ Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack π΄
π Read
via "Dark Reading".
QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.π Read
via "Dark Reading".
Dark Reading
Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack
QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.
βΌ CVE-2022-25854 βΌ
π Read
via "National Vulnerability Database".
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29947 βΌ
π Read
via "National Vulnerability Database".
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28198 βΌ
π Read
via "National Vulnerability Database".
NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its configuration of OpenSSL, where an attacker with physical access to the system can cause arbitrary code execution which can impact confidentiality, integrity, and availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29945 βΌ
π Read
via "National Vulnerability Database".
DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol.π Read
via "National Vulnerability Database".
π΄ Good News! IAM Is Near-Universal With SaaS π΄
π Read
via "Dark Reading".
The less-good news: IAM only works for applications your IT department knows about, so watch for "shadow IT" programs installed or written by users that leave a security gap.π Read
via "Dark Reading".
Dark Reading
Good News! IAM Is Near-Universal With SaaS
The less-good news: IAM only works for applications your IT department knows about, so watch for "shadow IT" programs installed or written by users that leave a security gap.
βΌ CVE-2022-29967 βΌ
π Read
via "National Vulnerability Database".
static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal.π Read
via "National Vulnerability Database".
π΄ 2022 Security Priorities: Staffing and Remote Work π΄
π Read
via "Dark Reading".
A comprehensive security strategy balances technology, processes, and people β and hiring and retaining security personnel and securing the remote workforce are firmly people priorities.π Read
via "Dark Reading".
Dark Reading
2022 Security Priorities: Staffing and Remote Work
A comprehensive security strategy balances technology, processes, and people β and hiring and retaining security personnel and securing the remote workforce are firmly people priorities.
π1
βΌ CVE-2022-29265 βΌ
π Read
via "National Vulnerability Database".
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28323 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,π Read
via "National Vulnerability Database".
βΌ CVE-2021-41992 βΌ
π Read
via "National Vulnerability Database".
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41994 βΌ
π Read
via "National Vulnerability Database".
A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41993 βΌ
π Read
via "National Vulnerability Database".
A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42001 βΌ
π Read
via "National Vulnerability Database".
PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23060 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the Γ’β¬ΕManage filesΓ’β¬οΏ½ tabπ Read
via "National Vulnerability Database".