βΌ CVE-2022-27632 βΌ
π Read
via "National Vulnerability Database".
Cross-site request forgery (CSRF) vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operations by having a user to view a specially crafted page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1727 βΌ
π Read
via "National Vulnerability Database".
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28717 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Rebooter(WATCH BOOT nino RPC-M2C [End of Sale] all firmware versions, WATCH BOOT light RPC-M5C [End of Sale] all firmware versions, WATCH BOOT L-zero RPC-M4L [End of Sale] all firmware versions, WATCH BOOT mini RPC-M4H [End of Sale] all firmware versions, WATCH BOOT nino RPC-M2CS firmware version 1.00A to 1.00D, WATCH BOOT light RPC-M5CS firmware version 1.00A to 1.00D, WATCH BOOT L-zero RPC-M4LS firmware version 1.00A to 1.20A, and Signage Rebooter RPC-M4HSi firmware version 1.00A), PoE Rebooter(PoE BOOT nino PoE8M2 firmware version 1.00A to 1.20A), Scheduler(TIME BOOT mini RSC-MT4H [End of Sale] all firmware versions, TIME BOOT RSC-MT8F [End of Sale] all firmware versions, TIME BOOT RSC-MT8FP [End of Sale] all firmware versions, TIME BOOT mini RSC-MT4HS firmware version 1.00A to 1.10A, and TIME BOOT RSC-MT8FS firmware version 1.00A to 1.00E), and Contact Converter(POSE SE10-8A7B1 firmware version 1.00A to 1.20A) allows a remote attacker with the administrative privilege to inject an arbitrary script via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29516 βΌ
π Read
via "National Vulnerability Database".
The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1430 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - DOM in GitHub repository octoprint/octoprint prior to 1.8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30065 βΌ
π Read
via "National Vulnerability Database".
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1782 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27548 βΌ
π Read
via "National Vulnerability Database".
There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.π Read
via "National Vulnerability Database".
π΄ Microsoft Flags Attack Targeting SQL Servers With Novel Approach π΄
π Read
via "Dark Reading".
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.π Read
via "Dark Reading".
Dark Reading
Microsoft Flags Attack Targeting SQL Servers With Novel Approach
Attackers appear to have found a way around PowerShell monitoring by using a default utility instead.
π΄ 2022: The Year Zero Trust Becomes Mainstream π΄
π Read
via "Dark Reading".
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.π Read
via "Dark Reading".
Dark Reading
2022: The Year Zero Trust Becomes Mainstream
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.
βοΈ Senators Urge FTC to Probe ID.me Over Selfie Data βοΈ
π Read
via "Krebs on Security".
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.π Read
via "Krebs on Security".
Krebsonsecurity
Senators Urge FTC to Probe ID.me Over Selfie Data
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognitionβ¦
π΄ The Industry Must Better Secure Open Source Code From Threat Actors π΄
π Read
via "Dark Reading".
Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.π Read
via "Dark Reading".
Dark Reading
The Industry Must Better Secure Open Source Code From Threat Actors
Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.
π΄ CISA: Unpatched F5 BIG-IP Devices Under Active Attack π΄
π Read
via "Dark Reading".
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.π Read
via "Dark Reading".
Dark Reading
CISA: Unpatched F5 BIG-IP Devices Under Active Attack
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.
βΌ CVE-2021-3956 βΌ
π Read
via "National Vulnerability Database".
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports Γ’β¬Εunauthenticated bindΓ’β¬οΏ½, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only Γ’β¬Εauthenticated bindΓ’β¬οΏ½ and/or Γ’β¬Εanonymous bindΓ’β¬οΏ½ are not affected.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-0883 βΌ
π Read
via "National Vulnerability Database".
SLM has an issue with Windows Unquoted/Trusted Service Paths Security Issue. All installations version 9.x.x prior to 9.20.1 should be patched.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22786 βΌ
π Read
via "National Vulnerability Database".
The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22785 βΌ
π Read
via "National Vulnerability Database".
The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1767 βΌ
π Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1110 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42852 βΌ
π Read
via "National Vulnerability Database".
A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28917 βΌ
π Read
via "National Vulnerability Database".
Tenda AX12 v22.03.01.21_cn was discovered to contain a stack overflow via the lanIp parameter in /goform/AdvSetLanIp.π Read
via "National Vulnerability Database".