βΌ CVE-2022-27308 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a project title.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-28738 βΌ
π Read
via "National Vulnerability Database".
A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30524 βΌ
π Read
via "National Vulnerability Database".
There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27412 βΌ
π Read
via "National Vulnerability Database".
Explore CMS v1.0 was discovered to contain a SQL injection vulnerability via a /page.php?id= request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29972 βΌ
π Read
via "National Vulnerability Database".
An argument injection vulnerability in the browser-based authentication component of the Magnitude Simba Amazon Redshift ODBC Driver (1.4.14 through 1.4.21.1001 and 1.4.22 through 1.4.x before 1.4.52) may allow a local user to execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28739 βΌ
π Read
via "National Vulnerability Database".
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29868 βΌ
π Read
via "National Vulnerability Database".
1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a process validation bypass. Malicious software running on the same computer can exfiltrate secrets from 1Password provided that 1Password is running and is unlocked. Affected secrets include vault items and derived values used for signing in to 1Password.π Read
via "National Vulnerability Database".
π΄ Costa Rica Declares State of Emergency Under Sustained Conti Cyberattacks π΄
π Read
via "Dark Reading".
Conti's ransomware attack cripples Costa Rica's Treasury, sparking the US to offer a $15M bounty on the group.π Read
via "Dark Reading".
Darkreading
Costa Rica Declares State of Emergency Under Sustained Conti Cyberattacks
Conti's ransomware attack cripples Costa Rica's Treasury, sparking the US to offer a $15M bounty on the group.
π΄ Joker, Other Fleecewear Surges Back Into Google Play π΄
π Read
via "Dark Reading".
Some mobile apps are being weaponized with Trojans that secretly sign Android users up for paid subscription services.π Read
via "Dark Reading".
Darkreading
Joker, Other Fleeceware Surges Back Into Google Play
The infamous Joker threat is back in Google Play, along with other Trojanized mobile apps that secretly sign Android users up for paid subscription services.
βΌ CVE-2021-43712 βΌ
π Read
via "National Vulnerability Database".
Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23705 βΌ
π Read
via "National Vulnerability Database".
A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays, and HPE Nimble Storage Secondary Flash Arrays which could potentially allow the upload, but not execution, of unauthorized update binaries to the array. HPE has made the following software updates to resolve the vulnerability in HPE Nimble Storage: 5.0.10.100 or later, 5.2.1.0 or later, 6.0.0.100 or later.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23704 βΌ
π Read
via "National Vulnerability Database".
A potential security vulnerability has been identified in Integrated Lights-Out 4 (iLO 4). The vulnerability could allow remote Denial of Service. The vulnerability is resolved in Integrated Lights-Out 4 (iLO 4) 2.80 and later.π Read
via "National Vulnerability Database".
π΄ How to Check if Your F5 BIG-IP Device Is Vulnerable π΄
π Read
via "Dark Reading".
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.π Read
via "Dark Reading".
Darkreading
How to Check If Your F5 BIG-IP Device Is Vulnerable
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.
β Low-rent RAT Worries Researchers β
π Read
via "Threat Post".
Researchers say a hacker is selling access to quality malware for chump change.π Read
via "Threat Post".
Threat Post
Low-rent RAT Worries Researchers
Researchers say a hacker is selling access to quality malware for chump change.
ποΈ EU targets standardization as key to bloc-wide cyber-resilience ποΈ
π Read
via "The Daily Swig".
Threat landscapeβs increasing complexity adds impetus to drive for consistency across 27 member statesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
EU targets standardization as key to bloc-wide cyber-resilience
Threat landscapeβs increasing complexity adds impetus to drive for consistency across 27 member states
β Conti Ransomware Attack Spurs State of Emergency in Costa Rica β
π Read
via "Threat Post".
The threat group has leaked data that it claims was stolen in the breach and is promising more government-targeted attacks.π Read
via "Threat Post".
Threat Post
Conti Ransomware Attack Spurs State of Emergency in Costa Rica
The threat group has leaked data that it claims was stolen in the breach and is promising more government-targeted attacks.
βΌ CVE-2022-24042 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24040 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41545 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). When the controller receives a specific BACnet protocol packet, an exception causes the BACnet communication function to go into a Γ’β¬Εout of workΓ’β¬οΏ½ state and could result in the controller going into a Γ’β¬Εfactory resetΓ’β¬οΏ½ state.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24041 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42581 βΌ
π Read
via "National Vulnerability Database".
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function.π Read
via "National Vulnerability Database".