βΌ CVE-2022-34826 βΌ
π Read
via "National Vulnerability Database".
In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31107 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30245 βΌ
π Read
via "National Vulnerability Database".
Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36461 βΌ
π Read
via "National Vulnerability Database".
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36553 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Area(food_type) field to /dashboard/menu-list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36552 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Made field to /dashboard/menu-list.php.π Read
via "National Vulnerability Database".
β S3 Ep91: CodeRed, OpenSSL, Java bugs and Office macros [Podcast + Transcript] β
π Read
via "Naked Security".
Latest episode - listen now! Great discussion, technical content, solid advice... all covered in plain English.π Read
via "Naked Security".
Naked Security
S3 Ep91: CodeRed, OpenSSL, Java bugs, Office macros [Audio + Text]
Latest episode β listen now! Great discussion, technical content, solid adviceβ¦ all covered in plain English.
ποΈ More than 4,000 individualsβ medical data left exposed for 16 years ποΈ
π Read
via "The Daily Swig".
Private healthcare information was accessible since 2006π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
More than 4,000 individualsβ medical data left exposed for 16 years
Private healthcare information was accessible since 2006
π΄ Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine π΄
π Read
via "Dark Reading".
Researchers who helped thwart the Russian nation-state group's recent attack on Ukraine's power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.π Read
via "Dark Reading".
Dark Reading
Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine
Researchers who helped thwart the Russian nation-state group's recent attack on Ukraine's power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.
β 7 cybersecurity tips for your summer vacation! β
π Read
via "Naked Security".
Here you go - seven thoughtful cybersecurity tips to help you travel safely...π Read
via "Naked Security".
Naked Security
7 cybersecurity tips for your summer vacation!
Here you go β seven thoughtful cybersecurity tips to help you travel safelyβ¦
β Emerging H0lyGh0st Ransomware Tied to North Korea β
π Read
via "Threat Post".
Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.π Read
via "Threat Post".
Threat Post
Emerging H0lyGh0st Ransomware Tied to North Korea
Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.
βΌ CVE-2022-35409 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN less than a threshold that depends on the configuration: 258 bytes if using mbedtls_ssl_cookie_check, and possibly up to 571 bytes with a custom cookie check function.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2020-35305 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23141 βΌ
π Read
via "National Vulnerability Database".
ZXMP M721 has an information leak vulnerability. Since the serial port authentication on the ZBOOT interface is not effective although it is enabled, an attacker could use this vulnerability to log in to the device to obtain sensitive information.π Read
via "National Vulnerability Database".
π΄ Ex-CIA Programmer Found Guilty of Stealing Vault 7 Data, Giving It to Wikileaks π΄
π Read
via "Dark Reading".
Joshua Schulte has been convicted for his role in the Vault 7 Wikileaks data dump that exposed invasive US cyber intelligence tactics.π Read
via "Dark Reading".
Dark Reading
Ex-CIA Programmer Found Guilty of Stealing Vault 7 Data, Giving It to Wikileaks
Joshua Schulte has been convicted for his role in the Vault 7 Wikileaks data dump that exposed invasive US cyber intelligence tactics.
π΄ What Are the Risks of Employees Going on a 'Hybrid Holiday'? π΄
π Read
via "Dark Reading".
As more employees plan on taking a "hybrid holiday" β longer holidays with the intention of working remotely from the travel destination for part of that time β organizations have to consider the risks. The biggest one? Wi-Fi networks.π Read
via "Dark Reading".
Dark Reading
What Are the Risks of Employees Going on a 'Hybrid Holiday'?
As more employees plan on taking longer holidays and working remotely from the destination for part of that time, organizations have to consider the risks. Like Wi-Fi networks.
π΄ How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub π΄
π Read
via "Dark Reading".
Developers need to be cautious about whom they trust on GitHub because it's easy to establish fake credibility on the platform, security vendor warns.π Read
via "Dark Reading".
Dark Reading
How Attackers Could Dupe Developers into Downloading Malicious Code From GitHub
Developers need to be cautious about whom they trust on GitHub because it's easy to establish fake credibility on the platform, security vendor warns.
βΌ CVE-2022-34232 βΌ
π Read
via "National Vulnerability Database".
Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34222 βΌ
π Read
via "National Vulnerability Database".
Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34230 βΌ
π Read
via "National Vulnerability Database".
Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34241 βΌ
π Read
via "National Vulnerability Database".
Adobe Character Animator version 4.4.7 (and earlier) and 22.4 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".