βΌ CVE-2022-31082 βΌ
π Read
via "National Vulnerability Database".
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31076 βΌ
π Read
via "National Vulnerability Database".
KubeEdge is built upon Kubernetes and extends native containerized application orchestration and device management to hosts at the Edge. In affected versions a malicious message can crash CloudCore by triggering a nil-pointer dereference in the UDS Server. Since the UDS Server only communicates with the CSI Driver on the cloud side, the attack is limited to the local host network. As such, an attacker would already need to be an authenticated user of the Cloud. Additionally it will be affected only when users turn on the unixsocket switch in the config file cloudcore.yaml. This bug has been fixed in Kubeedge 1.11.0, 1.10.1, and 1.9.3. Users should update to these versions to resolve the issue. Users unable to upgrade should sisable the unixsocket switch of CloudHub in the config file cloudcore.yaml.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31086 βΌ
π Read
via "National Vulnerability Database".
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31094 βΌ
π Read
via "National Vulnerability Database".
ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken over if they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript. This issue has been addressed in the 2.5.2 release. Users having issues scratching should open an issue in the project issue tracker https://github.com/STForScratch/ScratchTools/π Read
via "National Vulnerability Database".
βΌ CVE-2022-33116 βΌ
π Read
via "National Vulnerability Database".
An issue in the jmpath variable in /modules/mindmap/index.php of GUnet Open eClass Platform (aka openeclass) v3.12.4 and below allows attackers to read arbitrary files via a directory traversal.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31064 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31088 βΌ
π Read
via "National Vulnerability Database".
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31087 βΌ
π Read
via "National Vulnerability Database".
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31085 βΌ
π Read
via "National Vulnerability Database".
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31089 βΌ
π Read
via "National Vulnerability Database".
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31084 βΌ
π Read
via "National Vulnerability Database".
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31057 βΌ
π Read
via "National Vulnerability Database".
Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31065 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
π΄ Federal, State Agencies' Aid Programs Face Synthetic Identity Fraud π΄
π Read
via "Dark Reading".
Balancing public service with fraud prevention requires rule revisions and public trust.π Read
via "Dark Reading".
Dark Reading
Federal, State Agencies' Aid Programs Face Synthetic Identity Fraud
Balancing public service with fraud prevention requires rule revisions and public trust.
π’ Cisco to exit Russia, Belarus in business wind-down π’
π Read
via "ITPro".
The tech giant is the latest to leave the region altogether as Russia continues its invasion of Ukraineπ Read
via "ITPro".
IT PRO
Cisco to exit Russia, Belarus in business wind-down | IT PRO
The tech giant is the latest to leave the region altogether as Russia continues its invasion of Ukraine
π’ Carnival hit with $5 million fine over cyber security violations π’
π Read
via "ITPro".
The cruise line operator was criticised for failing to implement multi-factor authentication and failing to conduct cyber security training for its staffπ Read
via "ITPro".
IT PRO
Carnival hit with $5 million fine over cyber security violations | IT PRO
The cruise line operator was criticised for failing to implement multi-factor authentication and failing to conduct cyber security training for its staff
π’ Cloudflare unveils new One Partner Program with zero trust at its core π’
π Read
via "ITPro".
Cloudflare CEO Matthew Prince says the initiative aims to take the complexity out of zero trust architectureπ Read
via "ITPro".
IT PRO
Cloudflare unveils new One Partner Program with zero trust at its core | IT PRO
Cloudflare CEO Matthew Prince says the initiative aims to take the complexity out of zero trust architecture
π’ LockBit 2.0 ransomware disguised as PDFs distributed in email attacks π’
π Read
via "ITPro".
Researchers have urged vigilance over compressed attachments sent under false pretensesπ Read
via "ITPro".
IT PRO
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks | IT PRO
Researchers have urged vigilance over compressed attachments sent under false pretenses
π’ Google warns of βISP-controlled Hermit spyware π’
π Read
via "ITPro".
The spyware primarily targets Android and iOS users in Italy and Kazakhstanπ Read
via "ITPro".
IT PRO
Google warns of βISP-controlled Hermit spyware | IT PRO
The spyware primarily targets Android and iOS users in Italy and Kazakhstan
π’ Kaspersky finds most effective phishing emails imitate corporate messages, delivery notifications π’
π Read
via "ITPro".
Almost one in five employees clicked links in business related emails, but most emails containing threats or promising money were identified as phishingπ Read
via "ITPro".
IT PRO
Kaspersky finds most effective phishing emails imitate corporate messages, delivery notifications | IT PRO
Almost one in five employees clicked links in business related emails, but most emails containing threats or promising money were identified as phishing
π’ WatchGuard Firebox M590 review: Big red network security π’
π Read
via "ITPro".
A powerful mid-range UTM appliance with top-notch security features at a sensible priceπ Read
via "ITPro".
IT PRO
WatchGuard Firebox M590 review: Big red network security | IT PRO
A powerful mid-range UTM appliance with top-notch security features at a sensible price