βΌ CVE-2022-32425 βΌ
π Read
via "National Vulnerability Database".
The login function of Mealie v1.0.0beta-2 allows attackers to enumerate existing usernames by timing the server's response time.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32416 βΌ
π Read
via "National Vulnerability Database".
Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_product.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32409 βΌ
π Read
via "National Vulnerability Database".
A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34094 βΌ
π Read
via "National Vulnerability Database".
Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php.π Read
via "National Vulnerability Database".
π2
βΌ CVE-2022-2419 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in URVE Web Manager. It has been declared as critical. This vulnerability affects unknown code of the file _internal/collector/upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1881 βΌ
π Read
via "National Vulnerability Database".
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2420 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in URVE Web Manager. It has been rated as critical. This issue affects some unknown processing of the file _internal/uploader.php. The manipulation leads to unrestricted upload. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29890 βΌ
π Read
via "National Vulnerability Database".
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2418 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in URVE Web Manager. It has been classified as critical. This affects an unknown part of the file kreator.html5/img_upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
π Friday Five 7/15 π
π Read
via "".
This week saw the conviction of a former CIA engineer, a brief takedown of Congress.gov, and news of a promising decline in ransomware. Read about all of this and more in this week's Friday Five!
π Read
via "".
ποΈ Crunch time for EU web authentication plan as Mozilla launches campaign to protect status quo ποΈ
π Read
via "The Daily Swig".
Mozillaβs message to MEPs appears to be gaining traction, says senior public policy manager at the non-profitπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Crunch time for EU web authentication plan as Mozilla launches campaign to protect status quo
Mozillaβs message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit
π΄ How Hackers Create Fake Personas for Social Engineering π΄
π Read
via "Dark Reading".
And some ways to up your game for identifying fabricated online profiles of people who don't exist.π Read
via "Dark Reading".
Dark Reading
How Hackers Create Fake Personas for Social Engineering
And some ways to up your game for identifying fabricated online profiles of people who don't exist.
ποΈ Fantasy Premier League football app introduces 2FA to tackle account takeover hacks ποΈ
π Read
via "The Daily Swig".
Authentication controls added to defend against account hijack threatπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Fantasy Premier League football app introduces 2FA to tackle account takeover hacks
Authentication controls added to defend against account hijack threat
β€1
βΌ CVE-2020-36551 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Item Name field to /dashboard/menu-list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30244 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be store on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-31097 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35261 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36550 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Table Name field to /dashboard/table-list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30243 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Visual Logic through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be stored on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30242 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32118 βΌ
π Read
via "National Vulnerability Database".
Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.π Read
via "National Vulnerability Database".