βΌ CVE-2021-43712 βΌ
π Read
via "National Vulnerability Database".
Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23705 βΌ
π Read
via "National Vulnerability Database".
A security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays, and HPE Nimble Storage Secondary Flash Arrays which could potentially allow the upload, but not execution, of unauthorized update binaries to the array. HPE has made the following software updates to resolve the vulnerability in HPE Nimble Storage: 5.0.10.100 or later, 5.2.1.0 or later, 6.0.0.100 or later.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23704 βΌ
π Read
via "National Vulnerability Database".
A potential security vulnerability has been identified in Integrated Lights-Out 4 (iLO 4). The vulnerability could allow remote Denial of Service. The vulnerability is resolved in Integrated Lights-Out 4 (iLO 4) 2.80 and later.π Read
via "National Vulnerability Database".
π΄ How to Check if Your F5 BIG-IP Device Is Vulnerable π΄
π Read
via "Dark Reading".
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.π Read
via "Dark Reading".
Darkreading
How to Check If Your F5 BIG-IP Device Is Vulnerable
This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.
β Low-rent RAT Worries Researchers β
π Read
via "Threat Post".
Researchers say a hacker is selling access to quality malware for chump change.π Read
via "Threat Post".
Threat Post
Low-rent RAT Worries Researchers
Researchers say a hacker is selling access to quality malware for chump change.
ποΈ EU targets standardization as key to bloc-wide cyber-resilience ποΈ
π Read
via "The Daily Swig".
Threat landscapeβs increasing complexity adds impetus to drive for consistency across 27 member statesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
EU targets standardization as key to bloc-wide cyber-resilience
Threat landscapeβs increasing complexity adds impetus to drive for consistency across 27 member states
β Conti Ransomware Attack Spurs State of Emergency in Costa Rica β
π Read
via "Threat Post".
The threat group has leaked data that it claims was stolen in the breach and is promising more government-targeted attacks.π Read
via "Threat Post".
Threat Post
Conti Ransomware Attack Spurs State of Emergency in Costa Rica
The threat group has leaked data that it claims was stolen in the breach and is promising more government-targeted attacks.
βΌ CVE-2022-24042 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24040 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41545 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). When the controller receives a specific BACnet protocol packet, an exception causes the BACnet communication function to go into a Γ’β¬Εout of workΓ’β¬οΏ½ state and could result in the controller going into a Γ’β¬Εfactory resetΓ’β¬οΏ½ state.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24041 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42581 βΌ
π Read
via "National Vulnerability Database".
Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24039 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The Γ’β¬ΕaddCellΓ’β¬οΏ½ JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administratorΓ’β¬β’s workstation.π Read
via "National Vulnerability Database".
π1
ποΈ Russia behind cyber-attack on satellite internet network KA-SAT that disrupted Ukrainian infrastructure β EU ποΈ
π Read
via "The Daily Swig".
Suspected DDoS attack took place one hour before Russia invaded Ukraineπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Russia behind cyber-attack on satellite internet network KA-SAT that disrupted Ukrainian infrastructure β EU
Attack took place one hour before Russia invaded Ukraine
β Hackers Actively Exploit F5 BIG-IP Bug β
π Read
via "Threat Post".
The bug has a severe rating of 9.8, public exploits are released.π Read
via "Threat Post".
Threat Post
Hackers Actively Exploit F5 BIG-IP Bug
The bug has a severe rating of 9.8, public exploits are released.
π΄ Mastering the New CISO Playbook π΄
π Read
via "Dark Reading".
How can you safeguard your organization amid global conflict and uncertainty?π Read
via "Dark Reading".
Darkreading
Mastering the New CISO Playbook
How can you safeguard your organization amid global conflict and uncertainty?
βΌ CVE-2021-42645 βΌ
π Read
via "National Vulnerability Database".
CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable host.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28110 βΌ
π Read
via "National Vulnerability Database".
Hotel Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at the login page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29591 βΌ
π Read
via "National Vulnerability Database".
Tenda TX9 Pro 22.03.02.10 devices have a SetNetControlList buffer overflow.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43094 βΌ
π Read
via "National Vulnerability Database".
An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page.π Read
via "National Vulnerability Database".
β RubyGems supply chain rip-and-replace bug fixed β check your logs! β
π Read
via "Naked Security".
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".π Read
via "Naked Security".
Naked Security
RubyGems supply chain rip-and-replace bug fixed β check your logs!
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself βFrankβ.