βΌ CVE-2022-1543 βΌ
π Read
via "National Vulnerability Database".
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. When the text size is large enough the service results in a momentary outage in a production environment. That can lead to memory corruption on the server.π Read
via "National Vulnerability Database".
π΄ Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack π΄
π Read
via "Dark Reading".
QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.π Read
via "Dark Reading".
Dark Reading
Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack
QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.
βΌ CVE-2022-25854 βΌ
π Read
via "National Vulnerability Database".
This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29947 βΌ
π Read
via "National Vulnerability Database".
Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28198 βΌ
π Read
via "National Vulnerability Database".
NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its configuration of OpenSSL, where an attacker with physical access to the system can cause arbitrary code execution which can impact confidentiality, integrity, and availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29945 βΌ
π Read
via "National Vulnerability Database".
DJI drone devices sold in 2017 through 2022 broadcast unencrypted information about the drone operator's physical location via the AeroScope protocol.π Read
via "National Vulnerability Database".
π΄ Good News! IAM Is Near-Universal With SaaS π΄
π Read
via "Dark Reading".
The less-good news: IAM only works for applications your IT department knows about, so watch for "shadow IT" programs installed or written by users that leave a security gap.π Read
via "Dark Reading".
Dark Reading
Good News! IAM Is Near-Universal With SaaS
The less-good news: IAM only works for applications your IT department knows about, so watch for "shadow IT" programs installed or written by users that leave a security gap.
βΌ CVE-2022-29967 βΌ
π Read
via "National Vulnerability Database".
static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal.π Read
via "National Vulnerability Database".
π΄ 2022 Security Priorities: Staffing and Remote Work π΄
π Read
via "Dark Reading".
A comprehensive security strategy balances technology, processes, and people β and hiring and retaining security personnel and securing the remote workforce are firmly people priorities.π Read
via "Dark Reading".
Dark Reading
2022 Security Priorities: Staffing and Remote Work
A comprehensive security strategy balances technology, processes, and people β and hiring and retaining security personnel and securing the remote workforce are firmly people priorities.
π1
βΌ CVE-2022-29265 βΌ
π Read
via "National Vulnerability Database".
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28323 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in MediaWiki through 1.37.2. The SecurePoll extension allows a leak because sorting by timestamp is supported,π Read
via "National Vulnerability Database".
βΌ CVE-2021-41992 βΌ
π Read
via "National Vulnerability Database".
A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41994 βΌ
π Read
via "National Vulnerability Database".
A misconfiguration of RSA in PingID iOS app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41993 βΌ
π Read
via "National Vulnerability Database".
A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42001 βΌ
π Read
via "National Vulnerability Database".
PingID Desktop prior to 1.7.3 has a misconfiguration in the encryption libraries which can lead to sensitive data exposure. An attacker capable of exploiting this vulnerability may be able to successfully complete an MFA challenge via OTP.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23060 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the Γ’β¬ΕManage filesΓ’β¬οΏ½ tabπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1544 βΌ
π Read
via "National Vulnerability Database".
Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23061 βΌ
π Read
via "National Vulnerability Database".
In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31674 βΌ
π Read
via "National Vulnerability Database".
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28451 βΌ
π Read
via "National Vulnerability Database".
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40822 βΌ
π Read
via "National Vulnerability Database".
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.π Read
via "National Vulnerability Database".