‼ CVE-2021-39016 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor. IBM X-Force ID: 213722.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39015 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213655.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39028 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213866.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22473 ‼
📖 Read
via "National Vulnerability Database".
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper handling of Administrative Console data. This information could be used in further attacks against the system. IBM X-Force ID: 225347.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39019 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose highly sensitive information through an HTTP GET request to an authenticated user. IBM X-Force ID: 213728.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39017 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 213725.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22477 ‼
📖 Read
via "National Vulnerability Database".
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 225605.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35283 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 10.0.2 could allow an authenticated user to cause a denial of service with a specially crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39018 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose sensitive information in a SQL error message that could aid in further attacks against the system. IBM X-Force ID: 213726.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45492 ‼
📖 Read
via "National Vulnerability Database".
In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set explicit permissions and therefore inherits weak permissions from the C:\ folder. Because entries in the system-wide PATH variable are included in the search order for DLLs, an attacker could perform DLL search-order hijacking to escalate their privileges to SYSTEM. Furthermore, if the Global Search or Web Screens functionality is enabled, then privilege escalation is possible via the GlobalSearchService and Sage.CNA.WindowsService services, again via DLL search-order hijacking because unprivileged users would have modify permissions on the application directory. Note that while older versions of the software default to installing in %PROGRAMFILES(X86)% (which would allow the Sage folder to inherit strong permissions, making the installation not vulnerable), the official Sage 300 installation guides for those versions recommend installing in C:\Sage, which would make the installation vulnerable.📖 Read
via "National Vulnerability Database".
🕴 Data of Nearly 2M Patients Exposed in Ransomware Attack on Healthcare Debt Collection Firm 🕴
📖 Read
via "Dark Reading".
Professional Finance Company (PFC) was hit in February 2022 by a ransomware attack.📖 Read
via "Dark Reading".
Dark Reading
Data of Nearly 2M Patients Exposed in Ransomware Attack on Healthcare Debt Collection Firm
Professional Finance Company (PFC) was hit in February 2022 by a ransomware attack.
🕴 Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project 🕴
📖 Read
via "Dark Reading".
Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.📖 Read
via "Dark Reading".
Dark Reading
Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project
Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.
🕴 AEI HorizonX Ventures Joins Shift5 Series B Funding Round 🕴
📖 Read
via "Dark Reading".
Investment bolsters Shift5’s traction within commercial aerospace and defense industries.📖 Read
via "Dark Reading".
Dark Reading
AEI HorizonX Ventures Joins Shift5 Series B Funding Round
Investment bolsters Shift5’s traction within commercial aerospace and defense industries.
‼ CVE-2022-2408 ‼
📖 Read
via "National Vulnerability Database".
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31142 ‼
📖 Read
via "National Vulnerability Database".
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-2406 ‼
📖 Read
via "National Vulnerability Database".
The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22450 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 could allow a privileged user to upload a malicious file by bypassing extension security in an HTTP request. IBM X-Force ID: 224916.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22460 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 contains sensitive information in the source code repository that could be used in further attacks against the system. IBM X-Force ID: 225013.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22452 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 224918.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2401 ‼
📖 Read
via "National Vulnerability Database".
Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22453 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.📖 Read
via "National Vulnerability Database".