βΌ CVE-2022-2419 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in URVE Web Manager. It has been declared as critical. This vulnerability affects unknown code of the file _internal/collector/upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1881 βΌ
π Read
via "National Vulnerability Database".
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions to access. This vulnerability only impacts projects within the same Space.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2420 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in URVE Web Manager. It has been rated as critical. This issue affects some unknown processing of the file _internal/uploader.php. The manipulation leads to unrestricted upload. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29890 βΌ
π Read
via "National Vulnerability Database".
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2418 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in URVE Web Manager. It has been classified as critical. This affects an unknown part of the file kreator.html5/img_upload.php. The manipulation leads to unrestricted upload. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
π Friday Five 7/15 π
π Read
via "".
This week saw the conviction of a former CIA engineer, a brief takedown of Congress.gov, and news of a promising decline in ransomware. Read about all of this and more in this week's Friday Five!
π Read
via "".
ποΈ Crunch time for EU web authentication plan as Mozilla launches campaign to protect status quo ποΈ
π Read
via "The Daily Swig".
Mozillaβs message to MEPs appears to be gaining traction, says senior public policy manager at the non-profitπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Crunch time for EU web authentication plan as Mozilla launches campaign to protect status quo
Mozillaβs message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit
π΄ How Hackers Create Fake Personas for Social Engineering π΄
π Read
via "Dark Reading".
And some ways to up your game for identifying fabricated online profiles of people who don't exist.π Read
via "Dark Reading".
Dark Reading
How Hackers Create Fake Personas for Social Engineering
And some ways to up your game for identifying fabricated online profiles of people who don't exist.
ποΈ Fantasy Premier League football app introduces 2FA to tackle account takeover hacks ποΈ
π Read
via "The Daily Swig".
Authentication controls added to defend against account hijack threatπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Fantasy Premier League football app introduces 2FA to tackle account takeover hacks
Authentication controls added to defend against account hijack threat
β€1
βΌ CVE-2020-36551 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Item Name field to /dashboard/menu-list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30244 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be store on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-31097 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35261 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36550 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Table Name field to /dashboard/table-list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30243 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Visual Logic through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be stored on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30242 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32118 βΌ
π Read
via "National Vulnerability Database".
Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32119 βΌ
π Read
via "National Vulnerability Database".
Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34826 βΌ
π Read
via "National Vulnerability Database".
In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31107 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30245 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered.π Read
via "National Vulnerability Database".