βΌ CVE-2021-43729 βΌ
π Read
via "National Vulnerability Database".
Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-30028 βΌ
π Read
via "National Vulnerability Database".
SOOTEWAY Wi-Fi Range Extender v1.5 was discovered to use default credentials (the admin password for the admin account) to access the TELNET service, allowing attackers to erase/read/write the firmware remotely.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43728 βΌ
π Read
via "National Vulnerability Database".
Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized SSID parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31245 βΌ
π Read
via "National Vulnerability Database".
mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.π Read
via "National Vulnerability Database".
π΄ Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication π΄
π Read
via "Dark Reading".
Two of Microsoft's Patch Tuesday updates need a do-over after causing certificate-based authentication errors.π Read
via "Dark Reading".
Dark Reading
Microsoft Rushes a Fix After May Patch Tuesday Breaks Authentication
Two of Microsoft's Patch Tuesday updates need a do-over after causing certificate-based authentication errors.
π Friday Five 5/20 π
π Read
via "".
In this week's Friday Five, read about the outing of a ransomware mastermind, growing threats against the global maritime supply chain, an under-the-radar iPhone exploit, and more!
π Read
via "".
Digital Guardian
Friday Five 5/20
In this week's Friday Five, read about the outing of a ransomware mastermind, growing threats against the global maritime supply chain, an under-the-radar iPhone exploit, and more!
βΌ CVE-2022-29160 βΌ
π Read
via "National Vulnerability Database".
Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22365 βΌ
π Read
via "National Vulnerability Database".
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL server hostnames. IBM X-Force ID: 220904.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29163 βΌ
π Read
via "National Vulnerability Database".
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a link that is not password protected even if the administrator requires links to be password protected. Versions 22.2.6 and 23.0.3 contain a patch for this issue. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39043 βΌ
π Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214032.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29159 βΌ
π Read
via "National Vulnerability Database".
Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-known workarounds available.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24906 βΌ
π Read
via "National Vulnerability Database".
Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29177 βΌ
π Read
via "National Vulnerability Database".
Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting loglevel to default level (`INFO`) makes the node not vulnerable to this attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29170 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesnΓΒ’Γ’β¬ÒβΒ’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.π Read
via "National Vulnerability Database".
π΄ Quantum Key Distribution for a Post-Quantum World π΄
π Read
via "Dark Reading".
New versions of QKD use separate wavelengths on the same fiber, improving cost and efficiency, but distance is still a challenge.π Read
via "Dark Reading".
Dark Reading
Quantum Key Distribution for a Post-Quantum World
New versions of QKD use separate wavelengths on the same fiber, improving cost and efficiency, but distance is still a challenge.
π΄ Partial Patching Still Provides Strong Protection Against APTs π΄
π Read
via "Dark Reading".
Organizations that deploy updates only after a vulnerability is disclosed apply far fewer updates and do so at a lower cost than those that stay up to date on all of their software, university researchers say.π Read
via "Dark Reading".
Dark Reading
Partial Patching Still Provides Strong Protection Against APTs
Organizations that deploy updates only after a vulnerability is disclosed apply far fewer updates and do so at a lower cost than those that stay up to date on all of their software, university researchers say.
π΄ Chatbot Army Deployed in Latest DHL Shipping Phish π΄
π Read
via "Dark Reading".
In a new phishing tactic, faux chatbots establish a conversation with victims to guide them to malicious links, researchers say.π Read
via "Dark Reading".
Dark Reading
Chatbot Army Deployed in Latest DHL Shipping Phish
In a new phishing tactic, faux chatbots establish a conversation with victims to guide them to malicious links, researchers say.
βΌ CVE-2022-29183 βΌ
π Read
via "National Vulnerability Database".
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29181 βΌ
π Read
via "National Vulnerability Database".
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a `String` by calling `#to_s` or equivalent.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1770 βΌ
π Read
via "National Vulnerability Database".
Improper Privilege Management in GitHub repository polonel/trudesk prior to 1.2.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29178 βΌ
π Read
via "National Vulnerability Database".
Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorrect default permissions vulnerability. Operating Systems with users belonging to the group ID 1000 can access the API of Cilium via Unix domain socket available on the host where Cilium is running. This could allow malicious users to compromise integrity as well as system availability on that host. The problem has been fixed and the patch is available in versions 1.9.16, 1.10.11, and 1.11.5. A potential workaround is to modify Cilium's DaemonSet to run with a certain command, which can be found in the GitHub Security Advisory for this vulnerability.π Read
via "National Vulnerability Database".