βΌ CVE-2022-2788 βΌ
π Read
via "National Vulnerability Database".
Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36031 βΌ
π Read
via "National Vulnerability Database".
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36009 βΌ
π Read
via "National Vulnerability Database".
gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36008 βΌ
π Read
via "National Vulnerability Database".
Frontier is Substrate's Ethereum compatibility layer. A security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic. No action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36030 βΌ
π Read
via "National Vulnerability Database".
Project-nexus is a general-purpose blog website framework. Affected versions are subject to SQL injection due to a lack of sensitization of user input. This issue has not yet been patched. Users are advised to restrict user input and to upgrade when a new release becomes available.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2909 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /mkshop/Men/profile.php. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206845 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2921 βΌ
π Read
via "National Vulnerability Database".
This will lead to privilege escalation from AP officers account to the System Administrator account. and gain more functionality such as Create/Update Companies. Install/Update Languages. Install/Activate Extensions. Install/Activate Themes. Install/Activate Chart of Accounts. Software Upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30036 βΌ
π Read
via "National Vulnerability Database".
MA Lighting grandMA2 Light has a password of root for the root account. NOTE: The vendor's position is that the product was designed for isolated networks. Also, the successor product, grandMA3, is not affected by this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36198 βΌ
π Read
via "National Vulnerability Database".
Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/admin/search-pass.php, buspassms/admin/edit-category-detail.php, and buspassms/admin/edit-pass-detail.phpπ Read
via "National Vulnerability Database".
βΌ CVE-2022-36251 βΌ
π Read
via "National Vulnerability Database".
Clinic's Patient Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via patients.php.π Read
via "National Vulnerability Database".
β Fake Reservation Links Prey on Weary Travelers β
π Read
via "Threat Post".
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.π Read
via "Threat Post".
Threat Post
Fake Reservation Links Prey on Weary Travelers
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
βΌ CVE-2022-1340 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-2930 βΌ
π Read
via "National Vulnerability Database".
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.π Read
via "National Vulnerability Database".
π1
β Laptop denial-of-service via music: the 1980s R&B song with a CVE! β
π Read
via "Naked Security".
We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)π Read
via "Naked Security".
Naked Security
Laptop denial-of-service via music: the 1980s R&B song with a CVE!
We havenβt validated this vuln ourselvesβ¦ but the source of the story is impeccable. (Impeccably dressed, at least.)
βΌ CVE-2022-2312 βΌ
π Read
via "National Vulnerability Database".
The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2594 βΌ
π Read
via "National Vulnerability Database".
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3586 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-2593 βΌ
π Read
via "National Vulnerability Database".
The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24911 βΌ
π Read
via "National Vulnerability Database".
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33900 βΌ
π Read
via "National Vulnerability Database".
PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2890 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.π Read
via "National Vulnerability Database".