βΌ CVE-2021-26631 βΌ
π Read
via "National Vulnerability Database".
Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request. A remote attacker can exploit this vulnerability to manipulate the total order amount into a negative number and then pay for the order.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22978 βΌ
π Read
via "National Vulnerability Database".
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26630 βΌ
π Read
via "National Vulnerability Database".
Improper input validation vulnerability in HANDY GroupwareΓ’β¬β’s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30018 βΌ
π Read
via "National Vulnerability Database".
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations.π Read
via "National Vulnerability Database".
β€2
βΌ CVE-2021-45730 βΌ
π Read
via "National Vulnerability Database".
JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1730 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.π Read
via "National Vulnerability Database".
π΄ Dig Exits Stealth With $11M for Cloud Data Detection and Response Solution π΄
π Read
via "Dark Reading".
CrowdStrike and CyberArk invest in Dig's seed round, which was led by Team8, alongside Merlin Ventures and chairs of MongoDB and Exabeam.π Read
via "Dark Reading".
Dark Reading
Dig Exits Stealth With $11M for Cloud Data Detection and Response Solution
CrowdStrike and CyberArk invest in Dig's seed round, which was led by Team8, alongside Merlin Ventures and chairs of MongoDB and Exabeam.
π΄ Majority of Kubernetes API Servers Exposed to the Public Internet π΄
π Read
via "Dark Reading".
Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.π Read
via "Dark Reading".
Dark Reading
Majority of Kubernetes API Servers Exposed to the Public Internet
Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.
π New Bill Would Boost Cyber Sharing Between DHS and States π
π Read
via "".
If passed, the legislation would promote stronger cybersecurity collaboration between the Department of Homeland Security (DHS) and state and local governments.π Read
via "".
Digital Guardian
New Bill Would Boost Cyber Sharing Between DHS and States
If passed, the legislation would promote stronger cybersecurity collaboration between the Department of Homeland Security (DHS) and state and local governments.
π΄ DoJ Won't Charge 'Good Faith' Security Researchers π΄
π Read
via "Dark Reading".
Revised policy means security analysts won't be charged under the Computer Fraud and Abuse Act.π Read
via "Dark Reading".
Dark Reading
DoJ Won't Charge 'Good Faith' Security Researchers
Revised policy means security analysts won't be charged under the Computer Fraud and Abuse Act.
π΄ Pro-Russian Information Operations Escalate in Ukraine War π΄
π Read
via "Dark Reading".
In the three months since the war started, Russian operatives and those allied with the nation's interests have unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine, security vendor says.π Read
via "Dark Reading".
Dark Reading
Pro-Russian Information Operations Escalate in Ukraine War
In the three months since the war started, Russian operatives and those allied with the nation's interests have unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine, security vendor says.
βΌ CVE-2022-30617 βΌ
π Read
via "National Vulnerability Database".
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged Γ’β¬ΕauthorΓ’β¬οΏ½ role account can view these details in the JSON response for an Γ’β¬ΕeditorΓ’β¬οΏ½ or Γ’β¬Εsuper adminΓ’β¬οΏ½ that has updated one of the authorΓ’β¬β’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other usersΓ’β¬β’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a Γ’β¬Εsuper adminΓ’β¬οΏ½ account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32934 βΌ
π Read
via "National Vulnerability Database".
The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.π Read
via "National Vulnerability Database".
βΌ CVE-2020-16209 βΌ
π Read
via "National Vulnerability Database".
A malicious attacker could exploit the interface of the Fieldcomm Group HART-IP (release 1.0.0.0) by constructing messages with sufficiently large payloads to overflow the internal buffer and crash the device, or obtain control of the device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14496 βΌ
π Read
via "National Vulnerability Database".
Successful exploitation of this vulnerability for multiple Mitsubishi Electric Factory Automation Engineering Software Products of various versions could allow an attacker to escalate privilege and execute malicious programs, which could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30618 βΌ
π Read
via "National Vulnerability Database".
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these usersΓ’β¬β’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1413 βΌ
π Read
via "National Vulnerability Database".
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interfaceπ Read
via "National Vulnerability Database".
βΌ CVE-2022-28946 βΌ
π Read
via "National Vulnerability Database".
An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1423 βΌ
π Read
via "National Vulnerability Database".
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branchesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1416 βΌ
π Read
via "National Vulnerability Database".
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS stylingπ Read
via "National Vulnerability Database".
βΌ CVE-2020-16235 βΌ
π Read
via "National Vulnerability Database".
Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.π Read
via "National Vulnerability Database".