‼ CVE-2022-20828 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the CLI parser of Cisco FirePOWER Software for Adaptive Security Appliance (ASA) FirePOWER module could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected ASA FirePOWER module as the root user. This vulnerability is due to improper handling of undefined command parameters. An attacker could exploit this vulnerability by using a crafted command on the CLI or by submitting a crafted HTTPS request to the web-based management interface of the Cisco ASA that is hosting the ASA FirePOWER module. Note: To exploit this vulnerability, the attacker must have administrative access to the Cisco ASA. A user who has administrative access to a particular Cisco ASA is also expected to have administrative access to the ASA FirePOWER module that is hosted by that Cisco ASA.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21046 ‼
📖 Read
via "National Vulnerability Database".
A local privilege escalation vulnerability was identified within the "luminati_net_updater_win_eagleget_com" service in EagleGet Downloader version 2.1.5.20 Stable. This issue allows authenticated non-administrative user to escalate their privilege and conduct code execution as a SYSTEM privilege.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40893 ‼
📖 Read
via "National Vulnerability Database".
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data v0.1.1 when validating crafted invalid emails.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27238 ‼
📖 Read
via "National Vulnerability Database".
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22502 ‼
📖 Read
via "National Vulnerability Database".
IBM Robotic Process Automation 21.0.1 and 21.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227124.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-30028 ‼
📖 Read
via "National Vulnerability Database".
Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20543 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 198929.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39409 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20829 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of those images by Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker with administrative privileges to upload an ASDM image that contains malicious code to a device that is running Cisco ASA Software. This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software. An attacker could exploit this vulnerability by installing a crafted ASDM image on the device that is running Cisco ASA Software and then waiting for a targeted user to access that device using ASDM. A successful exploit could allow the attacker to execute arbitrary code on the machine of the targeted user with the privileges of that user on that machine. Notes: To successfully exploit this vulnerability, the attacker must have administrative privileges on the device that is running Cisco ASA Software. Potential targets are limited to users who manage the same device that is running Cisco ASA Software using ASDM. Cisco has released and will release software updates that address this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29865 ‼
📖 Read
via "National Vulnerability Database".
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 206091.📖 Read
via "National Vulnerability Database".
🕴 APT Groups Swarming on VMware Servers with Log4Shell 🕴
📖 Read
via "Dark Reading".
CISA tells organizations running VMware servers without Log4Shell mitigations to assume compromise.📖 Read
via "Dark Reading".
Dark Reading
APT Groups Swarming on VMware Servers with Log4Shell
CISA tells organizations running VMware servers without Log4Shell mitigations to assume compromise.
‼ CVE-2022-34065 ‼
📖 Read
via "National Vulnerability Database".
The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34057 ‼
📖 Read
via "National Vulnerability Database".
The Scoptrial package in PyPI version v0.0.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33003 ‼
📖 Read
via "National Vulnerability Database".
The watools package in PyPI v0.0.1 to v0.0.8 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33002 ‼
📖 Read
via "National Vulnerability Database".
The KGExplore package in PyPI v0.1.1 to v0.1.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34066 ‼
📖 Read
via "National Vulnerability Database".
The Texercise package in PyPI v0.0.1 to v0.0.12 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34053 ‼
📖 Read
via "National Vulnerability Database".
The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34064 ‼
📖 Read
via "National Vulnerability Database".
The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33004 ‼
📖 Read
via "National Vulnerability Database".
The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-34056 ‼
📖 Read
via "National Vulnerability Database".
The Watertools package in PyPI v0.0.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32996 ‼
📖 Read
via "National Vulnerability Database".
The django-navbar-client package of v0.9.50 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.📖 Read
via "National Vulnerability Database".