βΌ CVE-2022-30302 βΌ
π Read
via "National Vulnerability Database".
Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2193 βΌ
π Read
via "National Vulnerability Database".
Insecure Direct Object Reference vulnerability in HYPR Server before version 6.14.1 allows remote authenticated attackers to add a FIDO2 authenticator to arbitrary accounts via parameter tampering in the Device Manager page. This issue affects: HYPR Server versions prior to 6.14.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30301 βΌ
π Read
via "National Vulnerability Database".
A path traversal vulnerability [CWE-22] in FortiAP-U CLI 6.2.0 through 6.2.3, 6.0.0 through 6.0.4, 5.4.0 through 5.4.6 may allow an admin user to delete and access unauthorized files and data via specifically crafted CLI commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29057 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27483 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager version 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.x and 6.0.x and FortiAnalyzer version 7.0.0 through 7.0.3, version 6.4.0 through 6.4.7, 6.2.x and 6.0.x allows attacker to execute arbitrary shell code as `root` user via `diagnose system` CLI commands.π Read
via "National Vulnerability Database".
π΄ Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees π΄
π Read
via "Dark Reading".
The Curricula platform uses behavioral science with a simplified approach to train and educate users β and marks another step forward in Huntressβ mission to secure the 99%.π Read
via "Dark Reading".
Dark Reading
Huntress Acquires Curricula for $22M to Disrupt Security Training Market, Elevate Cyber Readiness for SMB Employees
The Curricula platform uses behavioral science with a simplified approach to train and educate users β and marks another step forward in Huntressβ mission to secure the 99%.
π΄ Will Your Cyber-Insurance Premiums Protect You in Times of War? π΄
π Read
via "Dark Reading".
Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.π Read
via "Dark Reading".
Dark Reading
Will Your Cyber-Insurance Premiums Protect You in Times of War?
Multiple cyber-insurance carriers have adopted act-of-war exclusions due to global political instability and are seeking to stretch the definition of war to deny coverage.
π΄ Okta Exposes Passwords in Clear Text for Possible Theft π΄
π Read
via "Dark Reading".
Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks.π Read
via "Dark Reading".
Dark Reading
Okta Exposes Passwords in Clear Text for Possible Theft
Researchers say Okta could allow attackers to easily exfiltrate passwords, impersonate other users, and alter logs to cover their tracks.
βΌ CVE-2022-34001 βΌ
π Read
via "National Vulnerability Database".
Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27545 βΌ
π Read
via "National Vulnerability Database".
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27544 βΌ
π Read
via "National Vulnerability Database".
BigFix Web Reports authorized users may see SMTP credentials in clear text.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22359 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 220652.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22417 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223127.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22358 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 220651.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34023 βΌ
π Read
via "National Vulnerability Database".
Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /officials/officials.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22360 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 220782.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22416 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 223126.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35912 βΌ
π Read
via "National Vulnerability Database".
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2469 βΌ
π Read
via "National Vulnerability Database".
GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API clientπ Read
via "National Vulnerability Database".
βΌ CVE-2022-27580 βΌ
π Read
via "National Vulnerability Database".
A deserialization vulnerability in a .NET framework class used and not properly checked by Safety Designer all versions up to and including 1.11.0 allows an attacker to craft malicious project files. Opening/importing such a malicious project file would execute arbitrary code with the privileges of the current user when opened or imported by the Safety Designer. This compromises confidentiality integrity and availability. For the attack to succeed a user must manually open a malicious project file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27579 βΌ
π Read
via "National Vulnerability Database".
A deserialization vulnerability in a .NET framework class used and not properly checked by Flexi Soft Designer in all versions up to and including 1.9.4 SP1 allows an attacker to craft malicious project files. Opening/importing such a malicious project file would execute arbitrary code with the privileges of the current user when opened or imported by the Flexi Soft Designer. This compromises confidentiality integrity and availability. For the attack to succeed a user must manually open a malicious project file.π Read
via "National Vulnerability Database".