βΌ CVE-2022-2701 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in SourceCodester Simple E-Learning System. This vulnerability affects unknown code of the file /claire_blake. The manipulation of the argument Bio leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-205822 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2704 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Simple E-Learning System. It has been declared as problematic. This vulnerability affects unknown code of the file downloadFiles.php. The manipulation of the argument download leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-205828.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2706 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in SourceCodester Online Class and Exam Scheduling System 1.0. Affected is an unknown function of the file /pages/class_sched.php. The manipulation of the argument class with the input '||(SELECT 0x684d6b6c WHERE 5993=5993 AND (SELECT 2096 FROM(SELECT COUNT(*),CONCAT(0x717a786b71,(SELECT (ELT(2096=2096,1))),0x717a626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||' leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-205830 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2703 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Gym Management System. It has been classified as critical. This affects an unknown part of the component Exercises Module. The manipulation of the argument exer leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-205827.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2699 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Simple E-Learning System. It has been rated as critical. Affected by this issue is some unknown functionality of the file /claire_blake. The manipulation of the argument phoneNumber leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-205820.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2702 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Company Website CMS and classified as critical. Affected by this issue is some unknown functionality of the file site-settings.php of the component Cookie Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-205826 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2698 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Simple E-Learning System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file search.php. The manipulation of the argument searchPost leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-205819.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2700 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in SourceCodester Gym Management System. This affects an unknown part of the component GET Parameter Handler. The manipulation of the argument day leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-205821 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
π΄ HYAS Infosec Announces General Availability of Cybersecurity Solution for Production Environments π΄
π Read
via "Dark Reading".
HYAS Confront provides total visibility into your production environment, giving you insight into potential issues like cyber threats before they become problems.π Read
via "Dark Reading".
Dark Reading
HYAS Infosec Announces General Availability of Cybersecurity Solution for Production Environments
HYAS Confront provides total visibility into your production environment, giving you insight into potential issues like cyber threats before they become problems.
π΄ We Have the Tech to Scale Up Open Source Vulnerability Fixes β Now It's Time to Leverage It π΄
π Read
via "Dark Reading".
Q&A with Jonathan Leitschuh, inaugural HUMAN Dan Kaminsky Fellow, in advance of his upcoming Black Hat USA presentation.π Read
via "Dark Reading".
Dark Reading
We Have the Tech to Scale Up Open Source Vulnerability Fixes β Now It's Time to Leverage It
Q&A with Jonathan Leitschuh, inaugural HUMAN Dan Kaminsky Fellow, in advance of his upcoming Black Hat USA presentation.
β Slack admits to leaking hashed passwords for three months β
π Read
via "Naked Security".
"When those invitations went out... somehow, your password hash went out with them."π Read
via "Naked Security".
Naked Security
Slack admits to leaking hashed passwords for five years
βWhen those invitations went outβ¦ somehow, your password hash went out with them.β
π1π1
β Phishers Swim Around 2FA in Coinbase Account Heists β
π Read
via "Threat Post".
Attackers are spoofing the widely used cryptocurrency exchange to trick users into logging in so they can steal their credentials and eventually their funds.π Read
via "Threat Post".
Threat Post
Phishers Swim Around 2FA in Coinbase Account Heists
Attackers are spoofing the widely used cryptocurrency exchange to trick users into logging in so they can steal their credentials and eventually their funds.
π΄ Deepfakes Grow in Sophistication, Cyberattacks Rise Following Ukraine War π΄
π Read
via "Dark Reading".
A rising tide of threats β from API exploits to deepfakes to extortionary ransomware attacks β is threatening to overwhelm IT security teams.π Read
via "Dark Reading".
Dark Reading
Deepfakes Grow in Sophistication, Cyberattacks Rise Following Ukraine War
A rising tide of threats β from API exploits to deepfakes to extortionary ransomware attacks β is threatening to overwhelm IT security teams.
βΌ CVE-2022-2424 βΌ
π Read
via "National Vulnerability Database".
The Google Maps Anywhere WordPress plugin through 1.2.6.3 does not sanitise and escape any of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)π Read
via "National Vulnerability Database".
βΌ CVE-2022-36266 βΌ
π Read
via "National Vulnerability Database".
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a stored XSS vulnerability. As the binary file /home/www/cgi-bin/login.cgi does not check if the user is authenticated, a malicious actor can craft a specific request on the login.cgi endpoint that contains a base32 encoded XSS payload that will be accepted and stored. A successful attack will results in the injection of malicious scripts into the user settings page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35490 βΌ
π Read
via "National Vulnerability Database".
Zammad 5.2.0 is vulnerable to privilege escalation. Zammad has a prevention against brute-force attacks trying to guess login credentials. After a configurable amount of attempts, users are invalidated and logins prevented. An attacker might work around this prevention, enabling them to send more than the configured amount of requests before the user invalidation takes place.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2386 βΌ
π Read
via "National Vulnerability Database".
The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2713 βΌ
π Read
via "National Vulnerability Database".
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35487 βΌ
π Read
via "National Vulnerability Database".
Zammad 5.2.0 suffers from Incorrect Access Control. Zammad did not correctly perform authorization on certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2409 βΌ
π Read
via "National Vulnerability Database".
The Rough Chart WordPress plugin through 1.0.0 does not properly escape chart data label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36265 βΌ
π Read
via "National Vulnerability Database".
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Hidden system command web page. After performing a reverse engineering of the firmware, it was discovered that a hidden page not listed in the administration management interface allows a user to execute Linux commands on the device with root privileges. An authenticated malicious threat actor can use this page to fully compromise the device.π Read
via "National Vulnerability Database".