‼ CVE-2021-39017 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to upload arbitrary files, caused by improper access controls. IBM X-Force ID: 213725.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22477 ‼
📖 Read
via "National Vulnerability Database".
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 225605.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35283 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Information Queue 10.0.2 could allow an authenticated user to cause a denial of service with a specially crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39018 ‼
📖 Read
via "National Vulnerability Database".
IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose sensitive information in a SQL error message that could aid in further attacks against the system. IBM X-Force ID: 213726.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45492 ‼
📖 Read
via "National Vulnerability Database".
In Sage 300 ERP (formerly accpac) through 6.8.x, the installer configures the C:\Sage\Sage300\Runtime directory to be the first entry in the system-wide PATH environment variable. However, this directory is writable by unprivileged users because the Sage installer fails to set explicit permissions and therefore inherits weak permissions from the C:\ folder. Because entries in the system-wide PATH variable are included in the search order for DLLs, an attacker could perform DLL search-order hijacking to escalate their privileges to SYSTEM. Furthermore, if the Global Search or Web Screens functionality is enabled, then privilege escalation is possible via the GlobalSearchService and Sage.CNA.WindowsService services, again via DLL search-order hijacking because unprivileged users would have modify permissions on the application directory. Note that while older versions of the software default to installing in %PROGRAMFILES(X86)% (which would allow the Sage folder to inherit strong permissions, making the installation not vulnerable), the official Sage 300 installation guides for those versions recommend installing in C:\Sage, which would make the installation vulnerable.📖 Read
via "National Vulnerability Database".
🕴 Data of Nearly 2M Patients Exposed in Ransomware Attack on Healthcare Debt Collection Firm 🕴
📖 Read
via "Dark Reading".
Professional Finance Company (PFC) was hit in February 2022 by a ransomware attack.📖 Read
via "Dark Reading".
Dark Reading
Data of Nearly 2M Patients Exposed in Ransomware Attack on Healthcare Debt Collection Firm
Professional Finance Company (PFC) was hit in February 2022 by a ransomware attack.
🕴 Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project 🕴
📖 Read
via "Dark Reading".
Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.📖 Read
via "Dark Reading".
Dark Reading
Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project
Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.
🕴 AEI HorizonX Ventures Joins Shift5 Series B Funding Round 🕴
📖 Read
via "Dark Reading".
Investment bolsters Shift5’s traction within commercial aerospace and defense industries.📖 Read
via "Dark Reading".
Dark Reading
AEI HorizonX Ventures Joins Shift5 Series B Funding Round
Investment bolsters Shift5’s traction within commercial aerospace and defense industries.
‼ CVE-2022-2408 ‼
📖 Read
via "National Vulnerability Database".
The Guest account feature in Mattermost version 6.7.0 and earlier fails to properly restrict the permissions, which allows a guest user to fetch a list of all public channels in the team, in spite of not being part of those channels.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31142 ‼
📖 Read
via "National Vulnerability Database".
@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-2406 ‼
📖 Read
via "National Vulnerability Database".
The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22450 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 could allow a privileged user to upload a malicious file by bypassing extension security in an HTTP request. IBM X-Force ID: 224916.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22460 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 contains sensitive information in the source code repository that could be used in further attacks against the system. IBM X-Force ID: 225013.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22452 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 224918.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2401 ‼
📖 Read
via "National Vulnerability Database".
Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22453 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.📖 Read
via "National Vulnerability Database".
🕴 DHS Review Board Deems Log4j an 'Endemic' Cyber Threat 🕴
📖 Read
via "Dark Reading".
Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.📖 Read
via "Dark Reading".
Dark Reading
DHS Review Board Deems Log4j an 'Endemic' Cyber Threat
Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.
🕴 New Phishing Kit Hijacks WordPress Sites for PayPal Scam 🕴
📖 Read
via "Dark Reading".
Attackers use scam security checks to steal victims' government documents, photos, banking information, and email passwords, researchers warn.📖 Read
via "Dark Reading".
Dark Reading
New Phishing Kit Hijacks WordPress Sites for PayPal Scam
Attackers use scam security checks to steal victims' government documents, photos, banking information, and email passwords, researchers warn.
🕴 Bishop Fox Secures $75 Million in Growth Funding From Carrick Capital Partners 🕴
📖 Read
via "Dark Reading".
Offensive security leader continues to defy market and economic trends with record growth and recognized innovation.📖 Read
via "Dark Reading".
Dark Reading
Bishop Fox Secures $75 Million in Growth Funding From Carrick Capital Partners
Offensive security leader continues to defy market and economic trends with record growth and recognized innovation.
‼ CVE-2022-32415 ‼
📖 Read
via "National Vulnerability Database".
Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/?p=products/view_product&id=.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34093 ‼
📖 Read
via "National Vulnerability Database".
Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php.📖 Read
via "National Vulnerability Database".