βΌ CVE-2022-31041 βΌ
π Read
via "National Vulnerability Database".
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1781 βΌ
π Read
via "National Vulnerability Database".
The postTabs WordPress plugin through 2.10.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escapingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2067 βΌ
π Read
via "National Vulnerability Database".
SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-31400 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in /staff/setup/email-addresses of Helpdeskz v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email name field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2066 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06.π Read
via "National Vulnerability Database".
ποΈ Cybercriminals use reverse tunneling and URL shorteners to launch βvirtually undetectableβ phishing campaigns ποΈ
π Read
via "The Daily Swig".
New hacking technique allows threat actors to evade some of the most effective phishing countermeasuresπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Cybercriminals use reverse tunneling and URL shorteners to launch βvirtually undetectableβ phishing campaigns
New hacking technique allows threat actors to evade some of the most effective phishing countermeasures
π1
ποΈ Kaiser Permanente data breach exposed healthcare records of 70,000 patients ποΈ
π Read
via "The Daily Swig".
Health plan provider plays down ID theft fears after breach at Washington state divisionπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Kaiser Permanente data breach exposed healthcare records of 70,000 patients
Health plan provider plays down ID theft fears after breach at Washington state division
βΌ CVE-2022-1820 βΌ
π Read
via "National Vulnerability Database".
The Keep Backup Daily plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Γ’β¬ΛtΓ’β¬β’ parameter in versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30310 βΌ
π Read
via "National Vulnerability Database".
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesnΓΒ’Γ’β¬ÒβΒ’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1658 βΌ
π Read
via "National Vulnerability Database".
Vulnerable versions of the Jupiter Theme (<= 6.10.1) allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31759 βΌ
π Read
via "National Vulnerability Database".
AppLink has a vulnerability of accessing uninitialized pointers. Successful exploitation of this vulnerability may affect system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30309 βΌ
π Read
via "National Vulnerability Database".
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesnΓΒ’Γ’β¬ÒβΒ’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31751 βΌ
π Read
via "National Vulnerability Database".
The kernel emcom module has multi-thread contention. Successful exploitation of this vulnerability may affect system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31756 βΌ
π Read
via "National Vulnerability Database".
The fingerprint sensor module has design defects. Successful exploitation of this vulnerability may affect data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31758 βΌ
π Read
via "National Vulnerability Database".
The kernel module has the race condition vulnerability. Successful exploitation of this vulnerability may affect data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31762 βΌ
π Read
via "National Vulnerability Database".
The AMS module has a vulnerability in input validation. Successful exploitation of this vulnerability may cause privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29244 βΌ
π Read
via "National Vulnerability Database".
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30308 βΌ
π Read
via "National Vulnerability Database".
In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesnΓΒ’Γ’β¬ÒβΒ’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1657 βΌ
π Read
via "National Vulnerability Database".
Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1961 βΌ
π Read
via "National Vulnerability Database".
The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the `~/public/frontend.php` file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1659 βΌ
π Read
via "National Vulnerability Database".
Vulnerable versions of the JupiterX Core (<= 2.0.6) plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter. This can be used to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.π Read
via "National Vulnerability Database".