βΌ CVE-2022-36747 βΌ
π Read
via "National Vulnerability Database".
Razor v0.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the function uploadchannel().π Read
via "National Vulnerability Database".
βΌ CVE-2022-36749 βΌ
π Read
via "National Vulnerability Database".
RPi-Jukebox-RFID v2.3.0 was discovered to contain a command injection vulnerability via the component /htdocs/utils/Files.php. This vulnerability is exploited via a crafted payload injected into the file name of an uploaded file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36746 βΌ
π Read
via "National Vulnerability Database".
LibreNMS v22.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component oxidized-cfg-check.inc.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39047 βΌ
π Read
via "National Vulnerability Database".
Freeciv before 2.6.7 and before 3.0.3 is prone to a buffer overflow vulnerability in the Modpack Installer utility's handling of the modpack URL.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37021 βΌ
π Read
via "National Vulnerability Database".
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37023 βΌ
π Read
via "National Vulnerability Database".
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37022 βΌ
π Read
via "National Vulnerability Database".
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39046 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.π Read
via "National Vulnerability Database".
β JavaScript bugs aplenty in Node.js ecosystem β found automatically β
π Read
via "Naked Security".
How to get the better of bugs in all the possible packages in your supply chain?π Read
via "Naked Security".
Naked Security
JavaScript bugs aplenty in Node.js ecosystem β found automatically
How to get the better of bugs in all the possible packages in your supply chain?
β Chrome patches 24 security holes, enables βSanitizerβ safety system β
π Read
via "Naked Security".
24 existing bugs fixed. And, we hope, numerous potential future bugs prevented.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Student Loan Breach Exposes 2.5M Records β
π Read
via "Threat Post".
2.5 million people were affected, in a breach that could spell more trouble down the line.π Read
via "Threat Post".
Threat Post
Student Loan Breach Exposes 2.5M Records
2.5 million people were affected, in a breach that could spell more trouble down the line.
π΄ SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform π΄
π Read
via "Dark Reading".
Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.π Read
via "Dark Reading".
Dark Reading
SecureAuth Announces General Availability of Arculix, Its Next-Gen Passwordless, Continuous-Authentication Platform
Next-gen platform delivers adaptive and robust, continuous authentication with identity orchestration and a frictionless user experience.
π΄ The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks π΄
π Read
via "Dark Reading".
While cloud breaches are going to happen, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. (First of two parts.)π Read
via "Dark Reading".
Dark Reading
The Inevitability of Cloud Breaches: Tales of Real-World Cloud Attacks
While cloud breaches are going to happen, that doesn't mean we can't do anything about them. By better understanding cloud attacks, organizations can better prepare for them. (First of two parts.)
ποΈ Command injection vulnerability in GitHub Pages nets bug hunter $4k ποΈ
π Read
via "The Daily Swig".
Exploit involved duping developers into exposing repositories with social engineering techniquesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Command injection vulnerability in GitHub Pages nets bug hunter $4k
Exploit involved duping developers into exposing repositories with social engineering techniques
ποΈ Three-day hackathon uncovers hundreds of bugs in Yahoo search engine tool Vespa ποΈ
π Read
via "The Daily Swig".
Live event brings together bug bounty hunters from across the globeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Three-day hackathon uncovers hundreds of bugs in Yahoo search engine tool Vespa
Live event brings together bug bounty hunters from across the globe
βοΈ Final Thoughts on Ubiquiti βοΈ
π Read
via "Krebs on Security".
Last year, I posted a series of articles about a purported βbreachβ at Ubiquiti. My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing β which includes providing falseβ¦ Read More Β»π Read
via "Krebs on Security".
π΄ TikTok for Android Bug Allows Single-Click Account Hijack π΄
π Read
via "Dark Reading".
A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.π Read
via "Dark Reading".
Dark Reading
TikTok for Android Bug Allows Single-Click Account Hijack
A security vulnerability (CVE-2022-28799) in one of TikTok for Android's deeplinks could affect billions of users, Microsoft warns.
βΌ CVE-2022-36045 βΌ
π Read
via "National Vulnerability Database".
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (`Math.random()`), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to. This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset. The vulnerability has been patched in version 2.x and 1.19.x. There is no known workaround, but the patch sets listed above will fully patch the vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36035 βΌ
π Read
via "National Vulnerability Database".
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy.π Read
via "National Vulnerability Database".
π΄ (ISC)Β² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative π΄
π Read
via "Dark Reading".
(ISC)Β² pledges to expand and diversify the cybersecurity workforce by providing free "(ISC)Β² Certified in Cybersecurity" education and exams to 1 million people worldwide.π Read
via "Dark Reading".
Dark Reading
(ISC)Β² Opens Global Enrollment for '1 Million Certified in Cybersecurity' Initiative
(ISC)Β² pledges to expand and diversify the cybersecurity workforce by providing free "(ISC)Β² Certified in Cybersecurity" education and exams to 1 million people worldwide.
π΄ OpenText Goes All-in on Cybersecurity Size and Scale With Micro Focus Purchase π΄
π Read
via "Dark Reading".
OpenText makes a $6 billion bet that bigger is better in security and that cybersecurity platform plays are the future.π Read
via "Dark Reading".
Dark Reading
OpenText Goes All-in on Cybersecurity Size and Scale With Micro Focus Purchase
OpenText makes a $6 billion bet that bigger is better in security and that cybersecurity platform plays are the future.