‼ CVE-2022-1742 ‼
📖 Read
via "National Vulnerability Database".
The tested version of Dominion Voting Systems ImageCast X allows for rebooting into Android Safe Mode, which allows an attacker to directly access the operating system. An attacker could leverage this vulnerability to escalate privileges on a device and/or install malicious code.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-30118 ‼
📖 Read
via "National Vulnerability Database".
Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1517 ‼
📖 Read
via "National Vulnerability Database".
LRM utilizes elevated privileges. An unauthenticated malicious actor can upload and execute code remotely at the operating system level, which can allow an attacker to change settings, configurations, software, or access sensitive data on the affected produc. An attacker could also exploit this vulnerability to access APIs not intended for general use and interact through the network.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2121 ‼
📖 Read
via "National Vulnerability Database".
OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-30651 ‼
📖 Read
via "National Vulnerability Database".
A malicious authenticated SMG administrator user can obtain passwords for external LDAP/Active Directory servers that they might not otherwise be authorized to access.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1746 ‼
📖 Read
via "National Vulnerability Database".
The authentication mechanism used by poll workers to administer voting using the tested version of Dominion Voting Systems ImageCast X can expose cryptographic secrets used to protect election information. An attacker could leverage this vulnerability to gain access to sensitive information and perform privileged actions, potentially affecting other election equipment.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1524 ‼
📖 Read
via "National Vulnerability Database".
LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials.📖 Read
via "National Vulnerability Database".
🕴 Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say 🕴
📖 Read
via "Dark Reading".
A new study says 97% of open source vulnerabilities linked to software supply chain risks are not attackable — but is "attackability" the best method for prioritizing bugs?📖 Read
via "Dark Reading".
Dark Reading
Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say
A new study says 97% of open source vulnerabilities linked to software supply chain risks are not attackable — but is "attackability" the best method for prioritizing bugs?
‼ CVE-2022-22390 ‼
📖 Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an information disclosure caused by improper privilege management when table function is used. IBM X-Force ID: 221973.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42056 ‼
📖 Read
via "National Vulnerability Database".
Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29578 ‼
📖 Read
via "National Vulnerability Database".
Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39047 ‼
📖 Read
via "National Vulnerability Database".
IBM Planning Analytics 2.0 and IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214349.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33910 ‼
📖 Read
via "National Vulnerability Database".
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20544 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198931.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29330 ‼
📖 Read
via "National Vulnerability Database".
Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39408 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29768 ‼
📖 Read
via "National Vulnerability Database".
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38871 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208345.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20828 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21046 ‼
📖 Read
via "National Vulnerability Database".
A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40893 ‼
📖 Read
via "National Vulnerability Database".
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data v0.1.1 when validating crafted invalid emails.📖 Read
via "National Vulnerability Database".