โผ CVE-2021-42850 โผ
๐ Read
via "National Vulnerability Database".
A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access.๐ Read
via "National Vulnerability Database".
๐ How to Prevent Weak and Exploited Security Controls ๐
๐ Read
via "".
A new cybersecurity alert is encouraging organizations to strengthen weak security controls commonly used by attackers to gain access to systems.๐ Read
via "".
Fortra
How to Prevent Weak and Exploited Security Controls
A new cybersecurity alert is encouraging organizations to strengthen weak security controls commonly used by attackers to gain access to systems.
๐ด Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments ๐ด
๐ Read
via "Dark Reading".
Polygraph Data Platform adds Kubernetes audit log monitoring, integration with Kubernetes admission controller, and Infrastructure as Code (IaC) security to help seamlessly integrate security into developer workflows.๐ Read
via "Dark Reading".
Dark Reading
Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments
Polygraph Data Platform adds Kubernetes audit log monitoring, integration with Kubernetes admission controller, and Infrastructure as Code (IaC) security to help seamlessly integrate security into developer workflows.
โผ CVE-2022-30597 โผ
๐ Read
via "National Vulnerability Database".
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-25617 โผ
๐ Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in Code Snippets plugin <= 2.14.3 at WordPress via &orderby vulnerable parameter.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30598 โผ
๐ Read
via "National Vulnerability Database".
A flaw was found in moodle where global search results could include author information on some activities where a user may not otherwise have access to it.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30599 โผ
๐ Read
via "National Vulnerability Database".
A flaw was found in moodle where an SQL injection risk was identified in Badges code relating to configuring criteria.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30600 โผ
๐ Read
via "National Vulnerability Database".
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-28921 โผ
๐ Read
via "National Vulnerability Database".
A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2022-30111 โผ
๐ Read
via "National Vulnerability Database".
Due to the use of an insecure algorithm for rolling codes in MCK Smartlock 1.0, allows attackers to unlock the mechanism via replay attacks.๐ Read
via "National Vulnerability Database".
๐ด How Pwn2Own Made Bug Hunting a Real Sport ๐ด
๐ Read
via "Dark Reading".
From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.๐ Read
via "Dark Reading".
Dark Reading
How Pwn2Own Made Bug Hunting a Real Sport
From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.
๐ด CISA to Federal Agencies: Patch VMWare Products Now or Take Them Offline ๐ด
๐ Read
via "Dark Reading".
Last month attackers quickly reverse-engineered VMWare patches to launch RCE attacks. CISA warns it's going to happen again.๐ Read
via "Dark Reading".
Dark Reading
CISA to Federal Agencies: Patch VMware Products Now or Take Them Offline
Last month attackers quickly reverse-engineered VMware patches to launch RCE attacks. CISA warns it's going to happen again.
๐ด MITRE Creates Framework for Supply Chain Security ๐ด
๐ Read
via "Dark Reading".
System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.๐ Read
via "Dark Reading".
Dark Reading
MITRE Creates Framework for Supply Chain Security
System of Trust includes data-driven metrics for evaluating the integrity of software, services, and suppliers.
โผ CVE-2022-29230 โผ
๐ Read
via "National Vulnerability Database".
Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-38944 โผ
๐ Read
via "National Vulnerability Database".
IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-29229 โผ
๐ Read
via "National Vulnerability Database".
CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an accountรขโฌโขs cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30991 โผ
๐ Read
via "National Vulnerability Database".
HTML injection via report name. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240๐ Read
via "National Vulnerability Database".
โผ CVE-2022-1774 โผ
๐ Read
via "National Vulnerability Database".
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30992 โผ
๐ Read
via "National Vulnerability Database".
Open redirect via user-controlled query parameter. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30994 โผ
๐ Read
via "National Vulnerability Database".
Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 29240๐ Read
via "National Vulnerability Database".
โผ CVE-2022-30990 โผ
๐ Read
via "National Vulnerability Database".
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 15 (Linux) before build 29240, Acronis Agent (Linux) before build 28037๐ Read
via "National Vulnerability Database".