β Authentication Risks Discovered in Okta Platform β
π Read
via "Threat Post".
Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction.π Read
via "Threat Post".
Threat Post
Authentication Risks Discovered in Okta Platform
Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction.
π΄ Unpatched GPS Tracker Security Bugs Threaten 1.5M Vehicles with Disruption π΄
π Read
via "Dark Reading".
A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.π Read
via "Dark Reading".
Dark Reading
Unpatched GPS Tracker Security Bugs Threaten 1.5M Vehicles With Disruption
A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.
βΌ CVE-2022-29060 βΌ
π Read
via "National Vulnerability Database".
A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API 5.5.0 through 5.5.1, 5.4.0 through 5.4.2, 5.3.0 through 5.3.1, 5.2.0, 5.1.0 may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2192 βΌ
π Read
via "National Vulnerability Database".
Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2453 βΌ
π Read
via "National Vulnerability Database".
Use After Free in GitHub repository gpac/gpac prior to 2.1-DEV.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24082 βΌ
π Read
via "National Vulnerability Database".
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26113 βΌ
π Read
via "National Vulnerability Database".
An execution with unnecessary privileges vulnerability [CWE-250] in FortiClientWindows 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.10 may allow a local attacker to perform an arbitrary file write on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35405 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)π Read
via "National Vulnerability Database".
βΌ CVE-2022-1984 βΌ
π Read
via "National Vulnerability Database".
This issue affects: HYPR Windows WFA versions prior to 7.2; Unsafe Deserialization vulnerability in HYPR Workforce Access (WFA) before version 7.2 may allow local authenticated attackers to elevate privileges via a malicious serialized payload.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32504 βΌ
π Read
via "National Vulnerability Database".
Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive informationΓ’β¬β’s to launch further attacks on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2454 βΌ
π Read
via "National Vulnerability Database".
Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.1-DEV.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30302 βΌ
π Read
via "National Vulnerability Database".
Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2193 βΌ
π Read
via "National Vulnerability Database".
Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30301 βΌ
π Read
via "National Vulnerability Database".
A path traversal vulnerability [CWE-22] in FortiAP-U CLI 6.2.0 through 6.2.3, 6.0.0 through 6.0.4, 5.4.0 through 5.4.6 may allow an admin user to delete and access unauthorized files and data via specifically crafted CLI commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29057 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27483 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager version 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.x and 6.0.x and FortiAnalyzer version 7.0.0 through 7.0.3, version 6.4.0 through 6.4.7, 6.2.x and 6.0.x allows attacker to execute arbitrary shell code as `root` user via `diagnose system` CLI commands.π Read
via "National Vulnerability Database".
π΄ Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees π΄
π Read
via "Dark Reading".
The Curricula platform uses behavioral science with a simplified approach to train and educate users β and marks another step forward in Huntressβ mission to secure the 99%.π Read
via "Dark Reading".
Dark Reading
Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees
The Curricula platform uses behavioral science with a simplified approach to train and educate users β and marks another step forward in Huntressβ mission to secure the 99%.
π΄ Will Your Cyber-Insurance Premiums Protect You in Times of War? π΄
π Read
via "Dark Reading".
Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.π Read
via "Dark Reading".
Dark Reading
Will Your Cyber-Insurance Premiums Protect You in Times of War?
Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.
π΄ Okta Exposes Passwords in Clear Text for Possible Theft π΄
π Read
via "Dark Reading".
Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks.π Read
via "Dark Reading".
Dark Reading
Okta Exposes Passwords in Clear Text for Possible Theft
Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks.
βΌ CVE-2022-34001 βΌ
π Read
via "National Vulnerability Database".
Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27545 βΌ
π Read
via "National Vulnerability Database".
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.π Read
via "National Vulnerability Database".