βΌ CVE-2022-2579 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in SourceCodester Garage Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument userName with the input lala<img src="" onerror=alert(1)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27873 βΌ
π Read
via "National Vulnerability Database".
An attacker can force the victimΓ’β¬β’s device to perform arbitrary HTTP requests in WAN through a malicious SVG file being parsed by Autodesk Fusion 360Γ’β¬β’s document parser. The vulnerability exists in the applicationΓ’β¬β’s Γ’β¬ΛInsert SVGΓ’β¬β’ procedure. An attacker can also leverage this vulnerability to obtain victimΓ’β¬β’s public IP and possibly other sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35630 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file. This issue was resolved in Velociraptor 0.6.5-2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2578 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35631 βΌ
π Read
via "National Vulnerability Database".
On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velociraptor client overwrite the other file. This issue was resolved in Velociraptor 0.6.5-2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33881 βΌ
π Read
via "National Vulnerability Database".
Parsing a maliciously crafted PRT file can force Autodesk AutoCAD 2023 to read beyond allocated boundaries. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35629 βΌ
π Read
via "National Vulnerability Database".
Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, to send messages to the server claiming to come from another client ID. This issue was resolved in Velociraptor 0.6.5-2.π Read
via "National Vulnerability Database".
π΄ Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization π΄
π Read
via "Dark Reading".
The first half of the year saw more than 11,800 reported security vulnerabilities, but figuring out which ones to patch first remains a thankless job for IT teams.π Read
via "Dark Reading".
Dark Reading
Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization
The first half of the year saw more than 11,800 reported security vulnerabilities, but figuring out which ones to patch first remains a thankless job for IT teams.
π΄ Why Bug-Bounty Programs Are Failing Everyone π΄
π Read
via "Dark Reading".
In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes.π Read
via "Dark Reading".
Dark Reading
Why Bug-Bounty Programs Are Failing Everyone
In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes.
π1
βοΈ 911 Proxy Service Implodes After Disclosing Breach βοΈ
π Read
via "Krebs on Security".
911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911βs proxy software with other titles, including βfreeβ utilities and pirated software.π Read
via "Krebs on Security".
Krebs on Security
911 Proxy Service Implodes After Disclosing Breach
911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of itsβ¦
βΌ CVE-2022-2414 βΌ
π Read
via "National Vulnerability Database".
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23004 βΌ
π Read
via "National Vulnerability Database".
When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36378 βΌ
π Read
via "National Vulnerability Database".
Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in PluginlySpeaking Floating Div plugin <= 3.0 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23002 βΌ
π Read
via "National Vulnerability Database".
When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23001 βΌ
π Read
via "National Vulnerability Database".
When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23003 βΌ
π Read
via "National Vulnerability Database".
When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.π Read
via "National Vulnerability Database".
π΄ Attackers Have 'Favorite' Vulnerabilities to Exploit π΄
π Read
via "Dark Reading".
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.π Read
via "Dark Reading".
Dark Reading
Attackers Have 'Favorite' Vulnerabilities to Exploit
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
π΄ AWS Focuses on Identity Access Management at re:Inforce π΄
π Read
via "Dark Reading".
Identity and access management was front and center at AWS re:inforce this week.π Read
via "Dark Reading".
Dark Reading
AWS Focuses on Identity Access Management at re:Inforce
Identity and access management was front and center at AWS re:inforce this week.
π΄ ICYMI: Dark Web Happenings Edition With Evil Corp., MSP Targeting & More π΄
π Read
via "Dark Reading".
Dark Reading's digest of other "don't-miss" stories of the week β including a Microsoft alert connecting disparate cybercrime activity together, and an explosion of Luca Stealer variants after an unusual Dark Web move.π Read
via "Dark Reading".
Dark Reading
ICYMI: Dark Web Happenings Edition With Evil Corp., MSP Targeting & More
Dark Reading's digest of other "don't-miss" stories of the week β including a Microsoft alert connecting disparate cybercrime activity together, and an explosion of Luca Stealer variants after an unusual Dark Web move.
π’ The pros and cons of net neutrality π’
π Read
via "ITPro".
Still on the fence about net neutrality? Here are both sides of the argumentπ Read
via "ITPro".
IT PRO
The pros and cons of net neutrality | IT PRO
Still on the fence about net neutrality? Here are both sides of the argument
π’ What is a 502 bad gateway and how do you fix it? π’
π Read
via "ITPro".
We explain what this networking error means for users and website ownersπ Read
via "ITPro".
IT PRO
What is a 502 Bad Gateway and how do you fix it? | IT PRO
We explain what the 502 Bad Gateway networking error means for users and website owners, and some potential steps for fixing it