βΌ CVE-2022-29230 βΌ
π Read
via "National Vulnerability Database".
Hydrogen is a React-based framework for building dynamic, Shopify-powered custom storefronts. There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. All Hydrogen users should upgrade their project to version 0.19.0. There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38944 βΌ
π Read
via "National Vulnerability Database".
IBM DataPower Gateway 10.0.2.0 through 1.0.3.0, 10.0.1.0 through 10.0.1.5, and 2018.4.1.0 through 2018.4.1.18 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 211236.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29229 βΌ
π Read
via "National Vulnerability Database".
CaSS is a Competency and Skills System. CaSS Library, (npm:cassproject) has a missing cryptographic step when storing cryptographic keys that can allow a server administrator access to an accountΓ’β¬β’s cryptographic keys. This affects CaSS servers using standalone username/password authentication, which uses a method that expects e2e cryptographic security of authorization credentials. The issue has been patched in 1.5.8, however, the vulnerable accounts are only resecured when the user next logs in using standalone authentication, as the data required to resecure the account is not available to the server. The issue may be mitigated by using SSO or client side certificates to log in. Please note that SSO and client side certificate authentication does not have this expectation of no-knowledge credential access, and cryptographic keys are available to the server administrator.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30991 βΌ
π Read
via "National Vulnerability Database".
HTML injection via report name. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240π Read
via "National Vulnerability Database".
βΌ CVE-2022-1774 βΌ
π Read
via "National Vulnerability Database".
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30992 βΌ
π Read
via "National Vulnerability Database".
Open redirect via user-controlled query parameter. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240π Read
via "National Vulnerability Database".
βΌ CVE-2022-30994 βΌ
π Read
via "National Vulnerability Database".
Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 29240π Read
via "National Vulnerability Database".
βΌ CVE-2022-30990 βΌ
π Read
via "National Vulnerability Database".
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis Cyber Protect 15 (Linux) before build 29240, Acronis Agent (Linux) before build 28037π Read
via "National Vulnerability Database".
βΌ CVE-2022-30033 βΌ
π Read
via "National Vulnerability Database".
Tenda TX9 Pro V22.03.02.10 is vulnerable to Buffer Overflow via the functtion setIPv6Status() in httpd module.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1771 βΌ
π Read
via "National Vulnerability Database".
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30993 βΌ
π Read
via "National Vulnerability Database".
Cleartext transmission of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 29240π Read
via "National Vulnerability Database".
βΌ CVE-2022-1670 βΌ
π Read
via "National Vulnerability Database".
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1183 βΌ
π Read
via "National Vulnerability Database".
On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affects BIND 9.18.0 -> 9.18.2 and version 9.19.0 of the BIND 9.19 development branch.π Read
via "National Vulnerability Database".
ποΈ Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw ποΈ
π Read
via "The Daily Swig".
Mischief-makers could βdisrupt the availability, integrity and confidentialityβ of other tenantsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Rogue cloud users could sabotage fellow off-prem tenants via critical Flux flaw
Mischief-makers could βdisrupt the availability, integrity and confidentialityβ of other tenants
β Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover β
π Read
via "Threat Post".
Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.π Read
via "Threat Post".
Threat Post
Critical Vulnerability in Premium WordPress Themes Allows for Site Takeover
Privilege escalation flaw discovered in the Jupiter and JupiterX Core Plugin affects more than 90,000 sites.
π΄ Phishing Attacks for Initial Access Surged 54% in Q1 π΄
π Read
via "Dark Reading".
For the first time in a year, security incidents involving email compromises surpassed ransomware incidents, a new analysis shows.π Read
via "Dark Reading".
Dark Reading
Phishing Attacks for Initial Access Surged 54% in Q1
For the first time in a year, security incidents involving email compromises surpassed ransomware incidents, a new analysis shows.
β Pwn2Own hacking schedule released β Windows and Linux are top targets β
π Read
via "Naked Security".
What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?π Read
via "Naked Security".
Naked Security
Pwn2Own hacking schedule released β Windows and Linux are top targets
Whatβs better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?
β S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]
Latest episode β listen now!
π΄ 6 Scary Tactics Used in Mobile App Attacks π΄
π Read
via "Dark Reading".
Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.π Read
via "Dark Reading".
ποΈ Encrypted email service CTemplar announces closure ποΈ
π Read
via "The Daily Swig".
Privacy-focused service to shut down by the end of the monthπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Encrypted email service CTemplar announces closure
Privacy-focused service to shut down by the end of the month
βΌ CVE-2022-1785 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.π Read
via "National Vulnerability Database".