βΌ CVE-2022-1976 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the Linux kernelΓ’β¬β’s implementation of IO-URING. This flaw allows an attacker with local executable permission to create a string of requests that can cause a use-after-free flaw within the kernel. This issue leads to memory corruption and possible privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1404 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics CNCSoft (All versions prior to 1.01.32) does not properly sanitize input while processing a specific project file, allowing a possible out-of-bounds read condition.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26330 βΌ
π Read
via "National Vulnerability Database".
Potential vulnerabilities have been identified in Micro Focus ArcSight Logger. The vulnerabilities could be remotely exploited resulting in Information Disclosure, or Self Cross-Site Scripting (XSS). This issue affects: Micro Focus ArcSight Logger versions prior to v7.2.2 version and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2003 βΌ
π Read
via "National Vulnerability Database".
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect DirectLOGIC D0-06 series CPUs D0-06DD1 versions prior to 2.72; D0-06DD2 versions prior to 2.72; D0-06DR versions prior to 2.72; D0-06DA versions prior to 2.72; D0-06AR versions prior to 2.72; D0-06AA versions prior to 2.72; D0-06DD1-D versions prior to 2.72; D0-06DD2-D versions prior to 2.72; D0-06DR-D versions prior to 2.72;π Read
via "National Vulnerability Database".
βΌ CVE-2022-2043 βΌ
π Read
via "National Vulnerability Database".
MOXA NPort 5110: Firmware Versions 2.10 is vulnerable to an out-of-bounds write that can cause the device to become unresponsive.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1552 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21941 βΌ
π Read
via "National Vulnerability Database".
All versions of iSTAR Ultra prior to version 6.8.9.CU01are vulnerable to a command injection that could allow an unauthenticated user root access to the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1508 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds read flaw was found in the Linux kernelΓ’β¬β’s io_uring module in the way a user triggers the io_read() function with some special parameters. This flaw allows a local user to read some memory out of bounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37122 βΌ
π Read
via "National Vulnerability Database".
Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30318 βΌ
π Read
via "National Vulnerability Database".
Honeywell ControlEdge through R151.1 uses Hard-coded Credentials. According to FSCT-2022-0056, there is a Honeywell ControlEdge hardcoded credentials issue. The affected components are characterized as: SSH. The potential impact is: Remote code execution, manipulate configuration, denial of service. The Honeywell ControlEdge PLC and RTU product line exposes an SSH service on port 22/TCP. Login as root to this service is permitted and credentials for the root user are hardcoded without automatically changing them upon first commissioning. The credentials for the SSH service are hardcoded in the firmware. The credentials grant an attacker access to a root shell on the PLC/RTU, allowing for remote code execution, configuration manipulation and denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38152 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3028 βΌ
π Read
via "National Vulnerability Database".
A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30317 βΌ
π Read
via "National Vulnerability Database".
Honeywell Experion LX through 2022-05-06 has Missing Authentication for a Critical Function. According to FSCT-2022-0055, there is a Honeywell Experion LX Control Data Access (CDA) EpicMo protocol with unauthenticated functionality issue. The affected components are characterized as: Honeywell Control Data Access (CDA) EpicMo (55565/TCP). The potential impact is: Firmware manipulation, Denial of service. The Honeywell Experion LX Distributed Control System (DCS) utilizes the Control Data Access (CDA) EpicMo protocol (55565/TCP) for device diagnostics and maintenance purposes. This protocol does not have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality. There is no authentication functionality on the protocol in question. An attacker capable of invoking the protocols' functionalities could issue firmware download commands potentially allowing for firmware manipulation and reboot devices causing denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28625 βΌ
π Read
via "National Vulnerability Database".
A local disclosure of sensitive information vulnerability was discovered in HPE OneView version(s): Prior to 7.0 or 6.60.01. A low privileged user could locally exploit this vulnerability to disclose sensitive information resulting in a complete loss of confidentiality, integrity, and availability. To exploit this vulnerability, HPE OneView must be configured with credential access to external repositories. HPE has provided a software update to resolve this vulnerability in HPE OneView.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2866 βΌ
π Read
via "National Vulnerability Database".
FATEK FvDesigner version 1.5.103 and prior is vulnerable to an out-of-bounds write while processing project files. If a valid user is tricked into using maliciously crafted project files, an attacker could achieve arbitrary code execution.π Read
via "National Vulnerability Database".
β URGENT! Apple quietly slips out zero-day update for older iPhones β
π Read
via "Naked Security".
Patch as soon as you can - that recent WebKit zero-day affecting new iPhones is apparently being used against older models, too.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Google Fixes 24 Vulnerabilities with New Chrome Update π΄
π Read
via "Dark Reading".
But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.π Read
via "Dark Reading".
Dark Reading
Google Fixes 24 Vulnerabilities With New Chrome Update
But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.
βΌ CVE-2022-38812 βΌ
π Read
via "National Vulnerability Database".
AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37183 βΌ
π Read
via "National Vulnerability Database".
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36046 βΌ
π Read
via "National Vulnerability Database".
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36566 βΌ
π Read
via "National Vulnerability Database".
Rengine v1.3.0 was discovered to contain a command injection vulnerability via the scan engine function.π Read
via "National Vulnerability Database".