π΄ 2022: The Year Zero Trust Becomes Mainstream π΄
π Read
via "Dark Reading".
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.π Read
via "Dark Reading".
Dark Reading
2022: The Year Zero Trust Becomes Mainstream
It has never been more important for organizations of all sizes to prioritize securing their users and their infrastructure secrets with zero-trust network access.
βοΈ Senators Urge FTC to Probe ID.me Over Selfie Data βοΈ
π Read
via "Krebs on Security".
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.π Read
via "Krebs on Security".
Krebsonsecurity
Senators Urge FTC to Probe ID.me Over Selfie Data
Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognitionβ¦
π΄ The Industry Must Better Secure Open Source Code From Threat Actors π΄
π Read
via "Dark Reading".
Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.π Read
via "Dark Reading".
Dark Reading
The Industry Must Better Secure Open Source Code From Threat Actors
Build security in up front to secure open source code at the foundational level. Apply security controls, have engineering teams test, do code review, and use attacker-centric behavioral analytics to mitigate threats.
π΄ CISA: Unpatched F5 BIG-IP Devices Under Active Attack π΄
π Read
via "Dark Reading".
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.π Read
via "Dark Reading".
Dark Reading
CISA: Unpatched F5 BIG-IP Devices Under Active Attack
Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.
βΌ CVE-2021-3956 βΌ
π Read
via "National Vulnerability Database".
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports Γ’β¬Εunauthenticated bindΓ’β¬οΏ½, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only Γ’β¬Εauthenticated bindΓ’β¬οΏ½ and/or Γ’β¬Εanonymous bindΓ’β¬οΏ½ are not affected.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-0883 βΌ
π Read
via "National Vulnerability Database".
SLM has an issue with Windows Unquoted/Trusted Service Paths Security Issue. All installations version 9.x.x prior to 9.20.1 should be patched.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22786 βΌ
π Read
via "National Vulnerability Database".
The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22785 βΌ
π Read
via "National Vulnerability Database".
The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1767 βΌ
π Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1110 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in Lenovo Smart Standby Driver prior to version 4.1.50.0 could allow a local attacker to cause denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42852 βΌ
π Read
via "National Vulnerability Database".
A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28917 βΌ
π Read
via "National Vulnerability Database".
Tenda AX12 v22.03.01.21_cn was discovered to contain a stack overflow via the lanIp parameter in /goform/AdvSetLanIp.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42848 βΌ
π Read
via "National Vulnerability Database".
An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25161 βΌ
π Read
via "National Vulnerability Database".
Improper Input Validation vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U-xMy/z(x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-xMy/z(x=32,64,96, y=T,R, z=D,DSS) versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MT/DSS-TS versions prior to 1.270, Mitsubishi Electric MELSEC iQ-F series FX5UC-32MR/DS-TS versions prior to 1.270 and Mitsubishi Electric MELSEC iQ-F series FX5UJ-xMy/z(x=24,40,60, y=T,R, z=ES,ESS) versions prior to 1.030 allows a remote unauthenticated attacker to cause a DoS condition for the product's program execution or communication by sending specially crafted packets. System reset of the product is required for recovery.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22776 βΌ
π Read
via "National Vulnerability Database".
The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains easily exploitable vulnerabilities that allows a low privileged attacker with network access to execute Stored Cross Site Scripting (XSS) on the affected system. A successful attack using these vulnerabilities requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42851 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22778 βΌ
π Read
via "National Vulnerability Database".
The Web Server component of TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management contains an easily exploitable vulnerability that allows an unauthenticated attacker with network access to execute Cross-Site Request Forgery (CSRF) on the affected system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO BusinessConnect Trading Community Management: versions 6.1.0 and below.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42704 βΌ
π Read
via "National Vulnerability Database".
Inkscape version 0.19 is vulnerable to an out-of-bounds write, which may allow an attacker to arbitrary execute code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28924 βΌ
π Read
via "National Vulnerability Database".
An information disclosure vulnerability in UniverSIS-Students before v1.5.0 allows attackers to obtain sensitive information via a crafted GET request to the endpoint /api/students/me/courses/.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1734 βΌ
π Read
via "National Vulnerability Database".
A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30105 βΌ
π Read
via "National Vulnerability Database".
In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.π Read
via "National Vulnerability Database".