β Zoom for Mac patches get-root bug β update now! β
π Read
via "Naked Security".
There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...π Read
via "Naked Security".
Naked Security
Zoom for Mac patches critical bug β update now!
Thereβs many a slip βtwixt the cup and the lip. Or at least between the TOC and the TOUβ¦
βΌ CVE-2022-36525 βΌ
π Read
via "National Vulnerability Database".
D-Link Go-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to Buffer Overflow via authenticationcgi_main.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35623 βΌ
π Read
via "National Vulnerability Database".
In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented control packets and access packets with the same SeqAuthπ Read
via "National Vulnerability Database".
βΌ CVE-2022-36526 βΌ
π Read
via "National Vulnerability Database".
D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to Authentication Bypass via function phpcgi_main in cgibin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36524 βΌ
π Read
via "National Vulnerability Database".
D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to Static Default Credentials via /etc/init0.d/S80telnetd.sh.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2824 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35624 βΌ
π Read
via "National Vulnerability Database".
In Nordic nRF5 SDK for Mesh 5.0, a heap overflow vulnerability can be triggered by sending a series of segmented packets with SegO > SegNπ Read
via "National Vulnerability Database".
βΌ CVE-2022-36523 βΌ
π Read
via "National Vulnerability Database".
D-Link Go-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to command injection via /htdocs/upnpinc/gena.php.π Read
via "National Vulnerability Database".
π΄ Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management π΄
π Read
via "Dark Reading".
ZTNA brings only marginal benefits unless you ensure that the third parties you authorize are not already compromised.π Read
via "Dark Reading".
Dark Reading
Transitioning From VPNs to Zero-Trust Access Requires Shoring Up Third-Party Risk Management
ZTNA brings only marginal benefits unless you ensure that the third parties you authorize are not already compromised.
π΄ Most Q2 Attacks Targeted Old Microsoft Vulnerabilities π΄
π Read
via "Dark Reading".
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.π Read
via "Dark Reading".
Dark Reading
Most Q2 Attacks Targeted Old Microsoft Vulnerabilities
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
π FTC Considers Rulemaking Around Commercial Surveillance, Data Security π
π Read
via "".
How do companies protect consumer data? That's one question the FTC is hoping to answer as it seeks rules to establish clear privacy and data security requirements.π Read
via "".
βΌ CVE-2022-36010 βΌ
π Read
via "National Vulnerability Database".
This library allows strings to be parsed as functions and stored as a specialized component, [`JsonFunctionValue`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/components/JsonFunctionValue.js). To do this, Javascript's [`eval`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as a value within the JSON structure being displayed. Given that this component may often be used to display data from arbitrary, untrusted sources, this is extremely dangerous. One important note is that users who have defined a custom [`onSubmitValueParser`](https://github.com/oxyno-zeta/react-editable-json-tree/tree/09a0ca97835b0834ad054563e2fddc6f22bc5d8c#onsubmitvalueparser) callback prop on the [`JsonTree`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/09a0ca97835b0834ad054563e2fddc6f22bc5d8c/src/JsonTree.js) component should be ***unaffected***. This vulnerability exists in the default `onSubmitValueParser` prop which calls [`parse`](https://github.com/oxyno-zeta/react-editable-json-tree/blob/master/src/utils/parse.js#L30). Prop is added to `JsonTree` called `allowFunctionEvaluation`. This prop will be set to `true` in v2.2.2, which allows upgrade without losing backwards-compatibility. In v2.2.2, we switched from using `eval` to using [`Function`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) to construct anonymous functions. This is better than `eval` for the following reasons: - Arbitrary code should not be able to execute immediately, since the `Function` constructor explicitly *only creates* anonymous functions - Functions are created without local closures, so they only have access to the global scope If you use: - **Version `<2.2.2`**, you must upgrade as soon as possible. - **Version `^2.2.2`**, you must explicitly set `JsonTree`'s `allowFunctionEvaluation` prop to `false` to fully mitigate this vulnerability. - **Version `>=3.0.0`**, `allowFunctionEvaluation` is already set to `false` by default, so no further steps are necessary.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24654 βΌ
π Read
via "National Vulnerability Database".
Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35978 βΌ
π Read
via "National Vulnerability Database".
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.π Read
via "National Vulnerability Database".
π΄ DEF CON 30: Hackers Come Home to Vibrant Community π΄
π Read
via "Dark Reading".
After 30 years and a brief pandemic hiatus, DEF CON returns with "Hacker Homecoming," an event that put the humans behind cybersecurity first.π Read
via "Dark Reading".
Dark Reading
DEF CON 30: Hackers Come Home to Vibrant Community
After 30 years and a brief pandemic hiatus, DEF CON returns with "Hacker Homecoming," an event that put the humans behind cybersecurity first.
βΌ CVE-2022-37447 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38187 βΌ
π Read
via "National Vulnerability Database".
Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an unauthenticated attacker to induce Esri Portal for ArcGIS to read arbitrary URLs.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37440 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37449 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37442 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38188 βΌ
π Read
via "National Vulnerability Database".
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victimΓΒ’Γ’β¬ÒβΒ’s browser.π Read
via "National Vulnerability Database".