‼ CVE-2022-23169 ‼
📖 Read
via "National Vulnerability Database".
attacker needs to craft a SQL payload. the vulnerable parameter is "agentid" must be authenticated to the admin panel.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41447 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23167 ‼
📖 Read
via "National Vulnerability Database".
Attacker crafts a GET request to: /mobile/downloadfile.aspx? Filename =../.. /windows/boot.ini the LFI is UNAUTHENTICATED.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41448 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41453 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31754 ‼
📖 Read
via "National Vulnerability Database".
Logical defects in code implementation in some products. Successful exploitation of this vulnerability may affect the availability of some features.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31752 ‼
📖 Read
via "National Vulnerability Database".
Missing authorization vulnerability in the system components. Successful exploitation of this vulnerability will affect confidentiality.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31760 ‼
📖 Read
via "National Vulnerability Database".
Dialog boxes can still be displayed even if the screen is locked in carrier-customized USSD services. Successful exploitation of this vulnerability may affect data integrity and confidentiality.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31761 ‼
📖 Read
via "National Vulnerability Database".
Configuration defects in the secure OS module. Successful exploitation of this vulnerability will affect confidentiality.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31753 ‼
📖 Read
via "National Vulnerability Database".
The voice wakeup module has a vulnerability of using externally-controlled format strings. Successful exploitation of this vulnerability may affect system availability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31757 ‼
📖 Read
via "National Vulnerability Database".
The setting module has a vulnerability of improper use of APIs. Successful exploitation of this vulnerability may affect data confidentiality.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41452 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
🕴 Exposed Travis CI API Leaves All Free-Tier Users Open to Attack 🕴
📖 Read
via "Dark Reading".
Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.📖 Read
via "Dark Reading".
Dark Reading
Exposed Travis CI API Leaves All Free-Tier Users Open to Attack
Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.
‼ CVE-2021-40604 ‼
📖 Read
via "National Vulnerability Database".
A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22259 ‼
📖 Read
via "National Vulnerability Database".
There is an improper authentication vulnerability in FLMG-10 10.0.1.0(H100SP22C00). Successful exploitation of this vulnerability may lead to a control of the victim device.📖 Read
via "National Vulnerability Database".
🕴 Kaiser Permanente Breach Exposes Data on 70K Patients 🕴
📖 Read
via "Dark Reading".
Employee email compromise potentially exposed patients' medical information, including lab test results and dates of services.📖 Read
via "Dark Reading".
Dark Reading
Kaiser Permanente Breach Exposes Data on 70K Patients
Employee email compromise potentially exposed patients' medical information, including lab test results and dates of services.
🕴 CISA Recommends Organizations Update to the Latest Version of Google Chrome 🕴
📖 Read
via "Dark Reading".
Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.📖 Read
via "Dark Reading".
Darkreading
CISA Recommends Organizations Update to the Latest Version of Google Chrome
Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.
‼ CVE-2022-31053 ‼
📖 Read
via "National Vulnerability Database".
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid ?-signatures. Such an attack would allow an attacker to create a token with any access level. The version 2 of the specification mandates a different algorithm than gamma signatures and as such is not affected by this vulnerability. The Biscuit implementations in Rust, Haskell, Go, Java and Javascript all have published versions following the v2 specification. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32193 ‼
📖 Read
via "National Vulnerability Database".
Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29247 ‼
📖 Read
via "National Vulnerability Database".
Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. The `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs, which include `ipcRenderer`. If the application then additionally exposes IPC messages without IPC `senderFrame` validation that perform privileged actions or return confidential data this access to `ipcRenderer` can in turn compromise your application / user even with the sandbox enabled. Electron versions 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 contain a fix for this issue. As a workaround, ensure that all IPC message handlers appropriately validate `senderFrame`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32560 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Couchbase Server before 7.0.4. XDCR lacks role checking when changing internal settings.📖 Read
via "National Vulnerability Database".