📢 Government and Deloitte-backed cyber security startup accelerator returns for second intake 📢
📖 Read
via "ITPro".
The Cyber Runway accelerator is accepting its second cohort with its support programme placing special focus on sustainability and diversity📖 Read
via "ITPro".
IT PRO
Government and Deloitte-backed cyber security startup accelerator returns for second intake | IT PRO
The Cyber Runway accelerator is accepting its second cohort with its support programme placing special focus on sustainability and diversity
‼ CVE-2021-44915 ‼
📖 Read
via "National Vulnerability Database".
Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31014 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33075 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31117 ‼
📖 Read
via "National Vulnerability Database".
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to 5.4.0 an error occurring while reallocating a buffer for string decoding can cause the buffer to get freed twice. Due to how UltraJSON uses the internal decoder, this double free is impossible to trigger from Python. This issue has been resolved in version 5.4.0 and all users should upgrade to UltraJSON 5.4.0. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31116 ‼
📖 Read
via "National Vulnerability Database".
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output. Users are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
🕴 Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data 🕴
📖 Read
via "Dark Reading".
A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.📖 Read
via "Dark Reading".
Dark Reading
Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data
A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.
🕴 HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain 🕴
📖 Read
via "Dark Reading".
Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.📖 Read
via "Dark Reading".
Dark Reading
HackerOne Employee Fired for Stealing and Selling Bug Reports for Personal Gain
Company says it is making changes to its security controls to prevent malicious insiders from doing the same thing in future; reassures bug hunters their bounties are safe.
‼ CVE-2022-31856 ‼
📖 Read
via "National Vulnerability Database".
Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32311 ‼
📖 Read
via "National Vulnerability Database".
Ingredient Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /isms/admin/stocks/view_stock.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32310 ‼
📖 Read
via "National Vulnerability Database".
An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32413 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in Dice v4.2.0 allows attackers to execute arbitrary code via a crafted file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34972 ‼
📖 Read
via "National Vulnerability Database".
So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22681 ‼
📖 Read
via "National Vulnerability Database".
Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors.📖 Read
via "National Vulnerability Database".
❌ Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens ❌
📖 Read
via "Threat Post".
A developer appears to have divulged credentials to a police database on a popular developer forum, leading to a breach and subsequent bid to sell 23 terabytes of personal data on the dark web.📖 Read
via "Threat Post".
Threat Post
Human Error Blamed for Leak of 1 Billion Records of Chinese Citizens
A developer appears to have divulged credentials to a police database on a popular developer forum, leading to a breach and subsequent bid to sell 23 terabytes of personal data on the dark web.
‼ CVE-2021-46687 ‼
📖 Read
via "National Vulnerability Database".
JFrog Artifactory prior to version 7.31.10 and 6.23.38 is vulnerable to Sensitive Data Exposure through the Project Administrator REST API. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.31.10 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32533 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35229 ‼
📖 Read
via "National Vulnerability Database".
An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45721 ‼
📖 Read
via "National Vulnerability Database".
JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in Users REST API endpoint. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.36.1 versions prior to 7.29.8; JFrog Artifactory versions before 6.23.41 versions prior to 6.23.38.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35230 ‼
📖 Read
via "National Vulnerability Database".
An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.📖 Read
via "National Vulnerability Database".