βΌ CVE-2022-29642 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK A3100R V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129 were discovered to contain a stack overflow via the url parameter in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.π Read
via "National Vulnerability Database".
ποΈ DevSecOps and cybersecurity skills are top priorities for enterprise IT β report ποΈ
π Read
via "The Daily Swig".
Transparency and inter-team collaboration key amid escalating threats and compliance requirementsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
DevSecOps and cybersecurity skills are top priorities for enterprise IT β report
Transparency and inter-team collaboration key amid escalating threats and compliance requirements
β APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days β
π Read
via "Threat Post".
Research indicates that organizations should make patching existing flaws a priority to mitigate risk of compromise.π Read
via "Threat Post".
Threat Post
APTs Overwhelmingly Share Known Vulnerabilities Rather Than Attack O-Days
Research indicates that organizations should make patching existing flaws a priority to mitigate risk of compromise.
β DOJ Says Doctor is Malware Mastermind β
π Read
via "Threat Post".
The U.S. Department of Justice indites middle-aged doctor, accusing him of being a malware mastermind.π Read
via "Threat Post".
Threat Post
DOJ Says Doctor is Malware Mastermind
The U.S. Department of Justice indites middle-aged doctor, accusing him of being a malware mastermind.
ποΈ Popular websites leaking user email data to web tracking domains ποΈ
π Read
via "The Daily Swig".
Data harvested without consent and before forms are submitted in many cases, researchers claimπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Popular websites leaking user email data to web tracking domains
Data harvested without consent and before forms are submitted in many cases, researchers claim
βΌ CVE-2022-23068 βΌ
π Read
via "National Vulnerability Database".
ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1432 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29518 βΌ
π Read
via "National Vulnerability Database".
Screen Creator Advance2, HMI GC-A2 series, and Real time remote monitoring and control tool Screen Creator Advance2 versions prior to Ver.0.1.1.3 Build01, HMI GC-A2 series(GC-A22W-CW, GC-A24W-C(W), GC-A26W-C(W), GC-A24, GC-A24-M, GC-A25, GC-A26, and GC-A26-J2), and Real time remote monitoring and control tool(Remote GC) allows a local attacker to bypass authentication due to the improper check for the Remote control setting's account names. This may allow attacker who can access the HMI from Real time remote monitoring and control tool may perform arbitrary operations on the HMI. As a result, the information stored in the HMI may be disclosed, deleted or altered, and/or the equipment may be illegally operated via the HMI.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23067 βΌ
π Read
via "National Vulnerability Database".
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the userΓ’β¬β’s account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1795 βΌ
π Read
via "National Vulnerability Database".
Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27632 βΌ
π Read
via "National Vulnerability Database".
Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1727 βΌ
π Read
via "National Vulnerability Database".
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28717 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker with the administrative privilege to inject an arbitrary script via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29516 βΌ
π Read
via "National Vulnerability Database".
The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1430 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30065 βΌ
π Read
via "National Vulnerability Database".
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1782 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27548 βΌ
π Read
via "National Vulnerability Database".
There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.π Read
via "National Vulnerability Database".
π΄ Microsoft Flags Attack Targeting SQL Servers With Novel Approach π΄
π Read
via "Dark Reading".
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.π Read
via "Dark Reading".
Dark Reading
Microsoft Flags Attack Targeting SQL Servers With Novel Approach
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.
π΄ 2022: The Year Zero Trust Becomes Mainstream π΄
π Read
via "Dark Reading".
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.π Read
via "Dark Reading".
Dark Reading
2022: The Year Zero Trust Becomes Mainstream
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.
βοΈ Senators Urge FTC to Probe ID.me Over Selfie Data βοΈ
π Read
via "Krebs on Security".
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.π Read
via "Krebs on Security".
Krebsonsecurity
Senators Urge FTC to Probe ID.me Over Selfie Data
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognitionβ¦