‼ CVE-2022-34623 ‼
📖 Read
via "National Vulnerability Database".
Mealie1.0.0beta3 is vulnerable to user enumeration via timing response discrepancy between users and non-users when an invalid password message is displayed during an authentication attempt.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36606 ‼
📖 Read
via "National Vulnerability Database".
Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36577 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in jizhicms v2.3.1. There is a CSRF vulnerability that can add a admin.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36225 ‼
📖 Read
via "National Vulnerability Database".
EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery (CSRF) via the background, column management function and add.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-36578 ‼
📖 Read
via "National Vulnerability Database".
jizhicms v2.3.1 has SQL injection in the background.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37254 ‼
📖 Read
via "National Vulnerability Database".
DolphinPHP 1.5.1 is vulnerable to Cross Site Scripting (XSS) via Background - > System - > system function - > configuration management.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36579 ‼
📖 Read
via "National Vulnerability Database".
Wellcms 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36224 ‼
📖 Read
via "National Vulnerability Database".
XunRuiCMS V4.5.6 is vulnerable to Cross Site Request Forgery (CSRF).📖 Read
via "National Vulnerability Database".
🕴 BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing 🕴
📖 Read
via "Dark Reading".
Version 2.0 of the ransomware group's operation borrows extortion tactics from the LockBit 3.0 group.📖 Read
via "Dark Reading".
Dark Reading
BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing
Version 2.0 of the ransomware group's operation borrows extortion tactics from the LockBit 3.0 group.
👍2
🕴 State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims 🕴
📖 Read
via "Dark Reading".
APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.📖 Read
via "Dark Reading".
Dark Reading
State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims
APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.
🕴 Cybersecurity Solutions Must Evolve, Says Netography CEO 🕴
📖 Read
via "Dark Reading".
Just as cyber criminals change tactics and strategy for more effectiveness, so must infosec pros and their organizations, according to Martin Roesch of Netography.📖 Read
via "Dark Reading".
Darkreading
Cybersecurity Solutions Must Evolve, Says Netography CEO
Just as cyber criminals change tactics and strategy for more effectiveness, so must infosec pros and their organizations, according to Martin Roesch of Netography.
‼ CVE-2022-0542 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22489 ‼
📖 Read
via "National Vulnerability Database".
IBM MQ 8.0, (9.0, 9.1, 9.2 LTS), and (9.1 and 9.2 CD) are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 226339.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23459 ‼
📖 Read
via "National Vulnerability Database".
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx use of the Value class may lead to memory corruption via a double free or via a use after free. The value class has a default assignment operator which may be used with pointer types which may point to alterable data where the pointer itself is not updated. This issue exists on the current commit of the jsonxx project. The project itself has been archived and updates are not expected. Users are advised to find a replacement.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37175 ‼
📖 Read
via "National Vulnerability Database".
Tenda ac15 firmware V15.03.05.18 httpd server has stack buffer overflow in /goform/formWifiBasicSet.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23460 ‼
📖 Read
via "National Vulnerability Database".
Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36170 ‼
📖 Read
via "National Vulnerability Database".
MapGIS 10.5 Pro IGServer has hardcoded credentials in the front-end and can lead to escalation of privileges and arbitrary file deletion.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2788 ‼
📖 Read
via "National Vulnerability Database".
Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36031 ‼
📖 Read
via "National Vulnerability Database".
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36009 ‼
📖 Read
via "National Vulnerability Database".
gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36008 ‼
📖 Read
via "National Vulnerability Database".
Frontier is Substrate's Ethereum compatibility layer. A security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic. No action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".