β Atlassian announces 0-day hole in Confluence Server β update now! β
π Read
via "Naked Security".
Zero-day announced - here's what you need to knowπ Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2022-30861 βΌ
π Read
via "National Vulnerability Database".
FUDforum 3.1.2 is vulnerable to Stored XSS via Forum Name field in Forum Manager Feature.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41932 βΌ
π Read
via "National Vulnerability Database".
A blind SQL injection vulnerability in search form in TeamMate+ Audit version 28.0.19.0 allows any authenticated user to create malicious SQL injections, which can result in complete database compromise, gaining information about other users, unauthorized access to audit data etc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30860 βΌ
π Read
via "National Vulnerability Database".
FUDforum 3.1.2 is vulnerable to Remote Code Execution through Upload File feature of File Administration System in Admin Control Panel.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30863 βΌ
π Read
via "National Vulnerability Database".
FUDForum 3.1.2 is vulnerable to Cross Site Scripting (XSS) via page_title param in Page Manager in the Admin Control Panel.π Read
via "National Vulnerability Database".
π΄ IBM to Buy Attack Surface-Management Firm Randori π΄
π Read
via "Dark Reading".
Randoriβs attack surface management software to be integrated into IBM Security QRadar extended detection and response (XDR) features.π Read
via "Dark Reading".
Dark Reading
IBM to Buy Attack Surface-Management Firm Randori
Randoriβs attack-surface management software will be integrated into IBM Security QRadar extended detection and response (XDR) features.
βΌ CVE-2022-31481 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the Γ’β¬ΕnormalΓ’β¬οΏ½ code execution to that of their choosing. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1940 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issuesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1944 βΌ
π Read
via "National Vulnerability Database".
When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1935 βΌ
π Read
via "National Vulnerability Database".
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configuredπ Read
via "National Vulnerability Database".
βΌ CVE-2022-31484 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker can send a specially crafted network packet to delete a user from the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29. The impact of this vulnerability is that an unauthenticated attacker could restrict access to the web interface to legitimate users and potentially requiring them to use the default user dip switch procedure to gain access back.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1783 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31479 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable. The injected commands only get executed during start up or when unsafe calls regarding the hostname are used. This allows the attacker to gain remote access to the device and can make their persistence permanent by modifying the filesystem.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2021-39947 βΌ
π Read
via "National Vulnerability Database".
In specific circumstances, trace file buffers in GitLab Runner versions up to 14.3.4, 14.4 to 14.4.2, and 14.5 to 14.5.2 would re-use the file descriptor 0 for multiple traces and mix the output of several jobsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-31480 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a Denial-of-Service (DoS). This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The attacker needs to have a properly signed and encrypted binary, loading the firmware to the device ultimately triggers a reboot.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31482 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker can send a specially crafted unauthenticated HTTP request to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29. The overflowed data leads to segmentation fault and ultimately a denial-of-service condition, causing the device to reboot. The impact of this vulnerability is that an unauthenticated attacker could leverage this flaw to cause the target device to become unresponsive. An attacker could automate this attack to achieve persistent DoS, effectively rendering the target controller useless.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31483 βΌ
π Read
via "National Vulnerability Database".
An authenticated attacker can upload a file with a filename including Γ’β¬Ε..Γ’β¬οΏ½ and Γ’β¬Ε/Γ’β¬οΏ½ to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31486 βΌ
π Read
via "National Vulnerability Database".
An authenticated attacker can send a specially crafted route to the Γ’β¬Εedit_route.cgiΓ’β¬οΏ½ binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configuration files, or cause the device to become unstable.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1936 βΌ
π Read
via "National Vulnerability Database".
Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configuredπ Read
via "National Vulnerability Database".
βΌ CVE-2022-31485 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker can send a specially crafted packets to update the Γ’β¬ΕnotesΓ’β¬οΏ½ section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1821 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group.π Read
via "National Vulnerability Database".