‼ CVE-2022-31836 ‼
📖 Read
via "National Vulnerability Database".
The leafInfo.match() function in Beego v2.0.3 and below uses path.join() to deal with wildcardvalues which can lead to cross directory risk.📖 Read
via "National Vulnerability Database".
🕴 Google Chrome WebRTC Zero-Day Faces Active Exploitation 🕴
📖 Read
via "Dark Reading".
The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.📖 Read
via "Dark Reading".
Dark Reading
Google Chrome WebRTC Zero-Day Faces Active Exploitation
The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.
🕴 Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk 🕴
📖 Read
via "Dark Reading".
As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.📖 Read
via "Dark Reading".
Dark Reading
Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk
As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.
‼ CVE-2022-31770 ‼
📖 Read
via "National Vulnerability Database".
IBM App Connect Enterprise Certified Container 4.2 could allow a user from the administration console to cause a denial of service by creating a specially crafted request. IBM X-Force ID: 228221.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34879 ‼
📖 Read
via "National Vulnerability Database".
Reflected Cross Site Scripting (XSS) vulnerabilities in AST Agent Time Sheet interface (/vicidial/AST_agent_time_sheet.php) of VICIdial via agent, and search_archived_data parameters. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34876 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability in admin interface (/vicidial/admin.php) of VICIdial via modify_email_accounts, access_recordings, and agentcall_email parameters allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34878 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability in User Stats interface (/vicidial/user_stats.php) of VICIdial via the file_download parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-34877 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.📖 Read
via "National Vulnerability Database".
📢 NCSC concerned for UK cyber experts burning out over Russia-Ukraine cyber war 📢
📖 Read
via "ITPro".
The nation's cyber authority has provided organisations with advice on how to deal with an extended period of heightened threat📖 Read
via "ITPro".
IT PRO
NCSC concerned for UK cyber experts burning out over Russia-Ukraine cyber war | IT PRO
The nation's cyber authority has provided organisations with advice on how to deal with an extended period of heightened threat
📢 Cross-party MPs urge ban on two Chinese CCTV companies citing ethics and security concerns 📢
📖 Read
via "ITPro".
Hikvision and Dahua are used by over 60% of UK public bodies, despite widespread criticism around alleged ties to crimes in Xinjiang📖 Read
via "ITPro".
IT PRO
Cross-party MPs urge ban on two Chinese CCTV companies citing ethics and security concerns | IT PRO
Hikvision and Dahua are used by over 60% of UK public bodies, despite widespread criticism around alleged ties to crimes in Xinjiang
👍1
📢 Six cyber security disruptors to watch in 2022 📢
📖 Read
via "ITPro".
The companies breaking new ground in data retention, software development, training, risk management, and automation📖 Read
via "ITPro".
IT PRO
Six cyber security disruptors to watch in 2022 | IT PRO
The companies breaking new ground in data retention, software development, training, risk management, and automation
📢 Government and Deloitte-backed cyber security startup accelerator returns for second intake 📢
📖 Read
via "ITPro".
The Cyber Runway accelerator is accepting its second cohort with its support programme placing special focus on sustainability and diversity📖 Read
via "ITPro".
IT PRO
Government and Deloitte-backed cyber security startup accelerator returns for second intake | IT PRO
The Cyber Runway accelerator is accepting its second cohort with its support programme placing special focus on sustainability and diversity
‼ CVE-2021-44915 ‼
📖 Read
via "National Vulnerability Database".
Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31014 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33075 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31117 ‼
📖 Read
via "National Vulnerability Database".
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31116 ‼
📖 Read
via "National Vulnerability Database".
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
🕴 Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data 🕴
📖 Read
via "Dark Reading".
A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.📖 Read
via "Dark Reading".
Dark Reading
Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data
A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.
🕴 HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain 🕴
📖 Read
via "Dark Reading".
Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.📖 Read
via "Dark Reading".
Dark Reading
HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain
Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.
‼ CVE-2022-31856 ‼
📖 Read
via "National Vulnerability Database".
Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.📖 Read
via "National Vulnerability Database".