βΌ CVE-2022-37333 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability in the Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows remote authenticated attackers to execute arbitrary SQL commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37305 βΌ
π Read
via "National Vulnerability Database".
The Remote Keyless Entry (RKE) receiving unit on certain Honda vehicles through 2018 allows remote attackers to perform unlock operations and force a resynchronization after capturing five consecutive valid RKE signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38080 βΌ
π Read
via "National Vulnerability Database".
Reflected cross-site scripting vulnerability in Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows a remote authenticated attacker to inject an arbitrary script.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37418 βΌ
π Read
via "National Vulnerability Database".
The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38078 βΌ
π Read
via "National Vulnerability Database".
Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.π Read
via "National Vulnerability Database".
ποΈ Stop, press: Fragmented vendor ecosystem leaves media industry increasingly vulnerable to software supply chain threats ποΈ
π Read
via "The Daily Swig".
New study highlights the myriad cyber defense challenges faced by media companies in 2022π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Stop, press: Fragmented vendor ecosystem leaves media industry increasingly vulnerable to software supply chain threats
New study highlights the myriad cyber defense challenges faced by media companies in 2022
π1
π MIMEDefang Email Scanner 3.1 π
π Read
via "Packet Storm Security".
MIMEDefang is a flexible MIME email scanner designed to protect Windows clients from viruses. Includes the ability to do many other kinds of mail processing, such as replacing parts of messages with URLs. It can alter or delete various parts of a MIME message according to a very flexible configuration file. It can also bounce messages with unacceptable attachments. MIMEDefang works with the Sendmail 8.11 and newer "Milter" API, which makes it more flexible and efficient than procmail-based approaches.π Read
via "Packet Storm Security".
Packetstormsecurity
MIMEDefang Email Scanner 3.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2022-36633 βΌ
π Read
via "National Vulnerability Database".
Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33172 βΌ
π Read
via "National Vulnerability Database".
de.fac2 1.34 allows bypassing the User Presence protection mechanism when there is malware on the victim's PC.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37153 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27812 βΌ
π Read
via "National Vulnerability Database".
Flooding SNS firewall 3.7.0 to 3.7.26 with udp or icmp randomizing the source through an internal to internal or external to internal interfaces will lead the firewall to overwork. It will consume 100% CPU, 100 RAM and won't be available and can crash.π Read
via "National Vulnerability Database".
π1
β Twitter Whistleblower Complaint: The TL;DR Version β
π Read
via "Threat Post".
Twitter is blasted for security and privacy lapses by the companyβs former head of security who alleges the social media giantβs actions amount to a national security risk.π Read
via "Threat Post".
Threat Post
Twitter Whistleblower Complaint: The TL;DR Version
Twitter is blasted for security and privacy lapses by the companyβs former head of security who alleges the social media giantβs actions amount to a national security risk.
βΌ CVE-2021-0887 βΌ
π Read
via "National Vulnerability Database".
In PVRSRVBridgeHeapCfgHeapConfigName, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848817π Read
via "National Vulnerability Database".
βΌ CVE-2021-0891 βΌ
π Read
via "National Vulnerability Database".
An unprivileged app can trigger PowerVR driver to return an uninitialized heap memory causing information disclosure.Product: AndroidVersions: Android SoCAndroid ID: A-236849490π Read
via "National Vulnerability Database".
βΌ CVE-2021-0946 βΌ
π Read
via "National Vulnerability Database".
The method PVRSRVBridgePMRPDumpSymbolicAddr allocates puiMemspaceNameInt on the heap, fills the contents of the buffer via PMR_PDumpSymbolicAddr, and then copies the buffer to userspace. The method PMR_PDumpSymbolicAddr may fail, and if it does the buffer will be left uninitialized and despite the error will still be copied to userspace. Kernel leak of uninitialized heap data with no privs required.Product: AndroidVersions: Android SoCAndroid ID: A-236846966π Read
via "National Vulnerability Database".
βΌ CVE-2021-0698 βΌ
π Read
via "National Vulnerability Database".
In PVRSRVBridgeHeapCfgHeapDetails, there is a possible leak of kernel heap content due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-236848165π Read
via "National Vulnerability Database".
βΌ CVE-2022-20122 βΌ
π Read
via "National Vulnerability Database".
The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this results in kernel memory corruption.Product: AndroidVersions: Android SoCAndroid ID: A-232441339π Read
via "National Vulnerability Database".
βΌ CVE-2021-39815 βΌ
π Read
via "National Vulnerability Database".
The PowerVR GPU driver allows unprivileged apps to allocated pinned memory, unpin it (which makes it available to be freed), and continue using the page in GPU calls. No privileges required and this results in kernel memory corruption.Product: AndroidVersions: Android SoCAndroid ID: A-232440670π Read
via "National Vulnerability Database".
βΌ CVE-2021-0947 βΌ
π Read
via "National Vulnerability Database".
The method PVRSRVBridgeTLDiscoverStreams allocates puiStreamsInt on the heap, fills the contents of the buffer via TLServerDiscoverStreamsKM, and then copies the buffer to userspace. The method TLServerDiscoverStreamsKM may fail for several reasons including invalid sizes. If this method fails the buffer will be left uninitialized and despite the error will still be copied to userspace. Kernel leak of uninitialized heap data with no privs required.Product: AndroidVersions: Android SoCAndroid ID: A-236838960π Read
via "National Vulnerability Database".
β Bitcoin ATMs leeched by attackers who created fake admin accounts β
π Read
via "Naked Security".
The criminals didn't implant any malware. The attack was orchestrated via malevolent configuration changes.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Breaching airgap security: using your phoneβs compass as a microphone! β
π Read
via "Naked Security".
One bit per second makes the Voyager probe data rate seem blindingly fast. But it's enough to break your security assumptions...π Read
via "Naked Security".
Naked Security
Breaching airgap security: using your phoneβs gyroscope as a microphone
One bit per second makes the Voyager probe data rate seem blindingly fast. But itβs enough to break your security assumptionsβ¦