βΌ CVE-2022-31175 βΌ
π Read
via "National Vulnerability Database".
CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `<textarea>` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
π΄ Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks π΄
π Read
via "Dark Reading".
SMBs should patch CVE-2022-32548 now to avoid a host of horrors, including complete network compromise, ransomware, state-sponsored attacks, and more.π Read
via "Dark Reading".
Dark Reading
Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks
SMBs should patch CVE-2022-32548 now to avoid a host of horrors, including complete network compromise, ransomware, state-sponsored attacks, and more.
π1
π NYDFS Proposes New Changes to Its Cybersecurity Rules π
π Read
via "".
Recently proposed amendments to the NYDFS Cybersecurity Regulation would demand new technological enhancements, audit and risk assessment requirements of companies.π Read
via "".
π΄ How IT Teams Can Use 'Harm Reduction' for Better Cybersecurity Outcomes π΄
π Read
via "Dark Reading".
Copado's Kyle Tobener will discuss a three-pronged plan at Black Hat USA for addressing human weaknesses in cybersecurity with this medical concept β from phishing to shadow IT.π Read
via "Dark Reading".
Dark Reading
How IT Teams Can Use 'Harm Reduction' for Better Cybersecurity Outcomes
Copado's Kyle Tobener will discuss a three-pronged plan at Black Hat USA for addressing human weaknesses in cybersecurity with this medical concept β from phishing to shadow IT.
π1π€―1
βΌ CVE-2022-35506 βΌ
π Read
via "National Vulnerability Database".
TripleCross v0.1.0 was discovered to contain a stack overflow which occurs because there is no limit to the length of program parameters.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43178 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35158 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service (DoS) via a crafted lua script.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35928 βΌ
π Read
via "National Vulnerability Database".
AES Crypt is a file encryption software for multiple platforms. AES Crypt for Linux built using the source on GitHub and having the version number 3.11 has a vulnerability with respect to reading user-provided passwords and confirmations via command-line prompts. Passwords lengths were not checked before being read. This vulnerability may lead to buffer overruns. This does _not_ affect source code found on aescrypt.com, nor is the vulnerability present when providing a password or a key via the `-p` or `-k` command-line options. The problem was fixed via in commit 68761851b and will be included in release 3.16. Users are advised to upgrade. Users unable to upgrade should us the `-p` or `-k` options to provide a password or key.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35505 βΌ
π Read
via "National Vulnerability Database".
A segmentation fault in TripleCross v0.1.0 occurs when sending a control command from the client to the server. This occurs because there is no limit to the length of the output of the executed command.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43179 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35161 βΌ
π Read
via "National Vulnerability Database".
GVRET Stable Release as of Aug 15, 2015 was discovered to contain a buffer overflow via the handleConfigCmd function at SerialConsole.cpp.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27551 βΌ
π Read
via "National Vulnerability Database".
HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking.π Read
via "National Vulnerability Database".
β GitHub blighted by βresearcherβ who created thousands of malicious projects β
π Read
via "Naked Security".
If you spew projects laced with hidden malware into an open source repository, don't waste your time telling us "no harm done" afterwards.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ New Startup Footprint Tackles Identity Verification π΄
π Read
via "Dark Reading".
Early-stage startup Footprint's goal is to provide tools that change how enterprises verify, authentication, authorize, and secure identity.π Read
via "Dark Reading".
Dark Reading
Startup Footprint Tackles Identity Verification
Early-stage startup Footprint's goal is to provide tools that change how enterprises verify, authentication, authorize, and secure identity.
π’ Norton and Avast merger 'provisionally' approved by UK regulator π’
π Read
via "ITPro".
Competition and Markets Authority investigation suggests new software giant would still face "significant" competitionπ Read
via "ITPro".
IT PRO
Norton and Avast merger 'provisionally' approved by UK regulator | IT PRO
Competition and Markets Authority investigation suggests new software giant would still face "significant" competition
π’ T-Mobile βsocial engineerβ store owner ran $25 million black market operation π’
π Read
via "ITPro".
The five-year campaign saw the former owner defraud the company after stealing more than 50 employees' login credentialsπ Read
via "ITPro".
IT PRO
T-Mobile βsocial engineerβ store owner ran $25 million black market operation | IT PRO
The five-year campaign saw the former owner defraud the company after stealing more than 50 employees' login credentials
π1
π’ Legal challenge for Sadiq Khan over ANPR expansion, Met access to data π’
π Read
via "ITPro".
Rights campaigners argue that the increase in surveillance is unlawful and unjustifiedπ Read
via "ITPro".
IT PRO
Legal challenge for Sadiq Khan over ANPR expansion, Met access to data | IT PRO
Rights campaigners argue that the increase in surveillance is unlawful and unjustified
π’ Over 200,000 DrayTek routers vulnerable to total device takeover π’
π Read
via "ITPro".
The routers are popular with small and medium businesses, but are easily exploitable by threat actors seeking to steal data or launch ransomwareπ Read
via "ITPro".
IT PRO
Over 200,000 DrayTek routers vulnerable to total device takeover | IT PRO
The routers are popular with small and medium businesses, but are easily exploitable by threat actors seeking to steal data or launch ransomware
π’ Microsoft unveils new threat intelligence and surface management solutions π’
π Read
via "ITPro".
New Microsoft Defender offerings aim to offer deeper insights into threat actors and their behavioursπ Read
via "ITPro".
channelpro
Microsoft unveils new threat intelligence and surface management solutions
New Microsoft Defender offerings aim to offer deeper insights into threat actors and their behaviours
π’ Google Cloud and MITRE make it easier for businesses to threat-hunt in their cloud environments π’
π Read
via "ITPro".
The new pre-built queries aim to make it easier to navigate cloud security for organisations without the deep understanding that's required to effectively manage threatsπ Read
via "ITPro".
ITPro
Google Cloud and MITRE make it easier for businesses to threat-hunt in their cloud environments
The new pre-built queries aim to make it easier to navigate cloud security for organisations without the deep understanding that's required to effectively manage threats
π’ Tory party delays leadership selection over hacking fears π’
π Read
via "ITPro".
The Conservatives have also been forced to abandon plans to allow members to change their vote later in the contestπ Read
via "ITPro".
ITPro
Tory party delays leadership selection over hacking fears
The Conservatives have also been forced to abandon plans to allow members to change their vote later in the contest