‼ CVE-2022-1524 ‼
📖 Read
via "National Vulnerability Database".
LRM version 2.4 and lower does not implement TLS encryption. A malicious actor can MITM attack sensitive data in-transit, including credentials.📖 Read
via "National Vulnerability Database".
🕴 Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say 🕴
📖 Read
via "Dark Reading".
A new study says 97% of open source vulnerabilities linked to software supply chain risks are not attackable — but is "attackability" the best method for prioritizing bugs?📖 Read
via "Dark Reading".
Dark Reading
Only 3% of Open Source Software Bugs Are Actually Attackable, Researchers Say
A new study says 97% of open source vulnerabilities linked to software supply chain risks are not attackable — but is "attackability" the best method for prioritizing bugs?
‼ CVE-2022-22390 ‼
📖 Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an information disclosure caused by improper privilege management when table function is used. IBM X-Force ID: 221973.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42056 ‼
📖 Read
via "National Vulnerability Database".
Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29578 ‼
📖 Read
via "National Vulnerability Database".
Meridian Cooperative Utility Software versions 22.02 and 22.03 allows remote attackers to obtain sensitive information such as name, address, and daily energy usage.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39047 ‼
📖 Read
via "National Vulnerability Database".
IBM Planning Analytics 2.0 and IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214349.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33910 ‼
📖 Read
via "National Vulnerability Database".
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20544 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 198931.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29330 ‼
📖 Read
via "National Vulnerability Database".
Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39408 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29768 ‼
📖 Read
via "National Vulnerability Database".
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38871 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 208345.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20828 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21046 ‼
📖 Read
via "National Vulnerability Database".
A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40893 ‼
📖 Read
via "National Vulnerability Database".
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data v0.1.1 when validating crafted invalid emails.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27238 ‼
📖 Read
via "National Vulnerability Database".
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22502 ‼
📖 Read
via "National Vulnerability Database".
IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227124.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-30028 ‼
📖 Read
via "National Vulnerability Database".
Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20543 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 198929.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39409 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20829 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of those images by Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker with administrative privileges to upload an ASDM image that contains malicious code to a device that is running Cisco ASA Software. This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software. An attacker could exploit this vulnerability by installing a crafted ASDM image on the device that is running Cisco ASA Software and then waiting for a targeted user to access that device using ASDM. A successful exploit could allow the attacker to execute arbitrary code on the machine of the targeted user with the privileges of that user on that machine. Notes: To successfully exploit this vulnerability, the attacker must have administrative privileges on the device that is running Cisco ASA Software. Potential targets are limited to users who manage the same device that is running Cisco ASA Software using ASDM. Cisco has released and will release software updates that address this vulnerability.📖 Read
via "National Vulnerability Database".