‼ CVE-2022-20332 ‼
📖 Read
via "National Vulnerability Database".
In PackageManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-180019130📖 Read
via "National Vulnerability Database".
👍1
❌ Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics ❌
📖 Read
via "Threat Post".
The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.📖 Read
via "Threat Post".
Threat Post
Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics
The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.
‼ CVE-2022-35589 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_time" Parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35932 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35585 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42750 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35587 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35590 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in the ForkCMS version 5.9.3 allows remote attackers to inject JavaScript via the "end_date" Parameter📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42751 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node.📖 Read
via "National Vulnerability Database".
🕴 Software Supply Chain Chalks Up a Security Win With New Crypto Effort 🕴
📖 Read
via "Dark Reading".
GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.📖 Read
via "Dark Reading".
Dark Reading
Software Supply Chain Chalks Up a Security Win With New Crypto Effort
GitHub, the owner of the Node Package Manager (npm), proposes cryptographically linking source code and JavaScript packages in an effort to shore up supply chain security.
‼ CVE-2022-2797 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in SourceCodester Student Information System. Affected by this vulnerability is an unknown functionality of the file /admin/students/view_student.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The identifier VDB-206245 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29118 ‼
📖 Read
via "National Vulnerability Database".
An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29112 ‼
📖 Read
via "National Vulnerability Database".
An out-of-bounds read vulnerability exists when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) which allow an unauthenticated attacker to induce an information disclosure issue in the context of the current user.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29117 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader 10.8.1 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35980 ‼
📖 Read
via "National Vulnerability Database".
OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features document level security (DLS), field level security (FLS), and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to `.kibana` by default, so filters with the index pattern of `*` to restrict access to documents or fields will not be applied. This issue allows requests to access sensitive information when customer have acted to restrict access that specific information. OpenSearch 2.2.0, which is compatible with OpenSearch Security 2.2.0.0, contains the fix for this issue. There is no recommended work around.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2611 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in Fullscreen API in Google Chrome on Android prior to 104.0.5112.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38183 ‼
📖 Read
via "National Vulnerability Database".
In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper access controls, an attacker could assign any issue to any project in Gitea (there was no permission check for fetching the issue). As a result, the attacker would get access to private issue titles.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2613 ‼
📖 Read
via "National Vulnerability Database".
Use after free in Input in Google Chrome on Chrome OS prior to 104.0.5112.79 allowed a remote attacker who convinced a user to enage in specific user interactions to potentially exploit heap corruption via specific UI interactions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2801 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, was found in SourceCodester Automated Beer Parlour Billing System. This affects an unknown part of the component Login. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-206247.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2612 ‼
📖 Read
via "National Vulnerability Database".
Side-channel information leakage in Keyboard input in Google Chrome prior to 104.0.5112.79 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2606 ‼
📖 Read
via "National Vulnerability Database".
Use after free in Managed devices API in Google Chrome prior to 104.0.5112.79 allowed a remote attacker who convinced a user to enable a specific Enterprise policy to potentially exploit heap corruption via a crafted HTML page.📖 Read
via "National Vulnerability Database".