βΌ CVE-2022-25163 βΌ
π Read
via "National Vulnerability Database".
Improper Input Validation vulnerability in Mitsubishi Electric MELSEC-Q Series QJ71E71-100 first 5 digits of serial number "24061" or prior, Mitsubishi Electric MELSEC-L series LJ71E71-100 first 5 digits of serial number "24061" or prior and Mitsubishi Electric MELSEC iQ-R Series RD81MES96N firmware version "08" or prior allows a remote unauthenticated attacker to cause a denial of service (DoS) condition or execute malicious code on the target products by sending specially crafted packets.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30429 βΌ
π Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Neos CMS allow attackers with the editor role or higher to inject arbitrary script or HTML code using the editor function, the deletion of assets, or a workspace title. The vulnerabilities were found in versions 3.3.29 and 8.0.1 and could also be present in all intermediate versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1982 βΌ
π Read
via "National Vulnerability Database".
Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26497 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1716 βΌ
π Read
via "National Vulnerability Database".
An attacker with physical access to the victim's device can bypass the application's password/pin lock to access user data. This is possible due to lack of adequate security controls to prevent dynamic code manipulation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1979 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Product Show Room Site 1.0. It has been declared as problematic. This vulnerability affects p=contact. The manipulation of the Message textbox with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires authentication. Exploit details have been disclosed to the public.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45982 βΌ
π Read
via "National Vulnerability Database".
NetScout nGeniusONE 6.3.2 allows Arbitrary File Upload by a privileged user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29704 βΌ
π Read
via "National Vulnerability Database".
BrowsBox CMS v4.0 was discovered to contain a SQL injection vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42875 βΌ
π Read
via "National Vulnerability Database".
TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32019 βΌ
π Read
via "National Vulnerability Database".
Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via car-rental-management-system/admin/ajax.php?action=save_car.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1980 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Product Show Room Site 1.0. It has been rated as problematic. This issue affects the file /admin/?page=system_info/contact_info. The manipulation of the textbox Telephone with the input <script>alert(1)</script> leads to cross site scripting. The attack may be initiated remotely but requires authentication. Expliot details have been disclosed to the public.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45983 βΌ
π Read
via "National Vulnerability Database".
NetScout nGeniusONE 6.3.2 allows Java RMI Code Execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26944 βΌ
π Read
via "National Vulnerability Database".
Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38221 βΌ
π Read
via "National Vulnerability Database".
bbs-go <= 3.3.0 including Custom Edition is vulnerable to stored XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31023 βΌ
π Read
via "National Vulnerability Database".
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29597 βΌ
π Read
via "National Vulnerability Database".
Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45981 βΌ
π Read
via "National Vulnerability Database".
NetScout nGeniusONE 6.3.2 allows an XML External Entity (XXE) attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31024 βΌ
π Read
via "National Vulnerability Database".
richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available.π Read
via "National Vulnerability Database".
β Yet another zero-day (sort of) in Windows βsearch URLβ handling β
π Read
via "Naked Security".
More trouble with special-purpose URLs on Windows.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β S3 Ep85: Now THATβS what I call a Microsoft Office exploit! [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Gurucul Launches Cloud-Native SOC Platform Pushing the Boundaries of Next-Gen SIEM and XDR with Identity Threat Detection and Response π΄
π Read
via "Dark Reading".
Gurucul automating threat detection, investigation and response (TDIR) with advanced analytics, comprehensive threat content, and a flexible enterprise risk engine for hybrid and multi-cloud environments.π Read
via "Dark Reading".
Dark Reading
Gurucul Launches Cloud-Native SOC Platform Pushing the Boundaries of Next-Gen SIEM and XDR with Identity Threat Detection and Response
Gurucul automating threat detection, investigation and response (TDIR) with advanced analytics, comprehensive threat content, and a flexible enterprise risk engine for hybrid and multi-cloud environments.