βΌ CVE-2021-32934 βΌ
π Read
via "National Vulnerability Database".
The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.π Read
via "National Vulnerability Database".
βΌ CVE-2020-16209 βΌ
π Read
via "National Vulnerability Database".
A malicious attacker could exploit the interface of the Fieldcomm Group HART-IP (release 1.0.0.0) by constructing messages with sufficiently large payloads to overflow the internal buffer and crash the device, or obtain control of the device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14496 βΌ
π Read
via "National Vulnerability Database".
Successful exploitation of this vulnerability for multiple Mitsubishi Electric Factory Automation Engineering Software Products of various versions could allow an attacker to escalate privilege and execute malicious programs, which could cause a denial-of-service condition, and allow information to be disclosed, tampered with, and/or destroyed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30618 βΌ
π Read
via "National Vulnerability Database".
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these usersΓ’β¬β’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1413 βΌ
π Read
via "National Vulnerability Database".
Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interfaceπ Read
via "National Vulnerability Database".
βΌ CVE-2022-28946 βΌ
π Read
via "National Vulnerability Database".
An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret every expression, causing a Denial of Service (DoS) via triggering out-of-range memory access.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1423 βΌ
π Read
via "National Vulnerability Database".
Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branchesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1416 βΌ
π Read
via "National Vulnerability Database".
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS stylingπ Read
via "National Vulnerability Database".
βΌ CVE-2020-16235 βΌ
π Read
via "National Vulnerability Database".
Inadequate encryption may allow the credentials used by Emerson OpenEnterprise, up through version 3.3.5, to access field devices and external systems to be obtained.π Read
via "National Vulnerability Database".
βΌ CVE-2020-16231 βΌ
π Read
via "National Vulnerability Database".
The affected Bachmann Electronic M-Base Controllers of version MSYS v1.06.14 and later use weak cryptography to protect device passwords. Affected controllers that are actively supported include MX207, MX213, MX220, MC206, MC212, MC220, and MH230 hardware controllers, and affected end-of-life controller include MC205, MC210, MH212, ME203, CS200, MP213, MP226, MPC240, MPC265, MPC270, MPC293, MPE270, and CPC210 hardware controllers. Security Level 0 is set at default from the manufacturer, which could allow an unauthenticated remote attacker to gain access to the password hashes. Security Level 4 is susceptible if an authenticated remote attacker or an unauthenticated person with physical access to the device reads and decrypts the password to conduct further attacks.π Read
via "National Vulnerability Database".
π1
π΄ Deadbolt Ransomware Targeting QNAP NAS Devices π΄
π Read
via "Dark Reading".
QNAP is urging customers of its NAS products to update QTS and avoid exposing the devices to the Internet.π Read
via "Dark Reading".
Dark Reading
Deadbolt Ransomware Targeting QNAP NAS Devices
QNAP is urging customers of its NAS products to update QTS and avoid exposing the devices to the Internet.
π΄ More Than 1,000 Cybersecurity Career Pursuers Complete the (ISC)Β² Entry-Level Cybersecurity Certification Pilot Exam π΄
π Read
via "Dark Reading".
New professional certification program establishes a pathway into the workforce for students and career changers by demonstrating their foundational knowledge, skills and abilities to employers.π Read
via "Dark Reading".
Dark Reading
More Than 1,000 Cybersecurity Career Pursuers Complete the (ISC)Β² Entry-Level Cybersecurity Certification Pilot Exam
New professional certification program establishes a pathway into the workforce for students and career changers by demonstrating their foundational knowledge, skills and abilities to employers.
βΌ CVE-2022-29652 βΌ
π Read
via "National Vulnerability Database".
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28962 βΌ
π Read
via "National Vulnerability Database".
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=delete_client.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28961 βΌ
π Read
via "National Vulnerability Database".
Spip Web Framework v3.1.13 and below was discovered to contain multiple SQL injection vulnerabilities at /ecrire via the lier_trad and where parameters.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28960 βΌ
π Read
via "National Vulnerability Database".
A PHP injection vulnerability in Spip before v3.2.8 allows attackers to execute arbitrary PHP code via the _oups parameter at /ecrire.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28948 βΌ
π Read
via "National Vulnerability Database".
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28959 βΌ
π Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in the component /spip.php of Spip Web Framework v3.1.13 and below allows attackers to execute arbitrary web scripts or HTML.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29304 βΌ
π Read
via "National Vulnerability Database".
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4107 βΌ
π Read
via "National Vulnerability Database".
HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28987 βΌ
π Read
via "National Vulnerability Database".
ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.π Read
via "National Vulnerability Database".