βΌ CVE-2022-2866 βΌ
π Read
via "National Vulnerability Database".
FATEK FvDesigner version 1.5.103 and prior is vulnerable to an out-of-bounds write while processing project files. If a valid user is tricked into using maliciously crafted project files, an attacker could achieve arbitrary code execution.π Read
via "National Vulnerability Database".
β URGENT! Apple quietly slips out zero-day update for older iPhones β
π Read
via "Naked Security".
Patch as soon as you can - that recent WebKit zero-day affecting new iPhones is apparently being used against older models, too.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Google Fixes 24 Vulnerabilities with New Chrome Update π΄
π Read
via "Dark Reading".
But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.π Read
via "Dark Reading".
Dark Reading
Google Fixes 24 Vulnerabilities With New Chrome Update
But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.
βΌ CVE-2022-38812 βΌ
π Read
via "National Vulnerability Database".
AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37183 βΌ
π Read
via "National Vulnerability Database".
Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36046 βΌ
π Read
via "National Vulnerability Database".
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36566 βΌ
π Read
via "National Vulnerability Database".
Rengine v1.3.0 was discovered to contain a command injection vulnerability via the scan engine function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37184 βΌ
π Read
via "National Vulnerability Database".
The application manage_website.php on Garage Management System 1.0 is vulnerable to Shell File Upload. The already authenticated malicious user, can upload a dangerous RCE or LCE exploit file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37128 βΌ
π Read
via "National Vulnerability Database".
In D-Link DIR-816 A2_v1.10CNB04.img the network can be initialized without authentication via /goform/wizard_end.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38153 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 handshake, and the client has a non-empty session cache, the session cache frees a pointer that points to unallocated memory, causing the client to crash with a "free(): invalid pointer" message. NOTE: It is likely that this is also exploitable during TLS 1.3 handshakes between a client and a malicious server. With TLS 1.3, it is not possible to exploit this as a man-in-the-middle.π Read
via "National Vulnerability Database".
π’ Gov to force through tough telecoms regulations to boost network security π’
π Read
via "ITPro".
Regulator Ofcom will have powers to monitor, investigate and fine providers that fail to meet the new requirementsπ Read
via "ITPro".
IT PRO
Gov to force through tough telecoms regulations to boost network security | IT PRO
Regulator Ofcom will have powers to monitor, investigate and fine providers that fail to meet the new requirements
π’ Cuba ransomware group claims attack on Montenegro government π’
π Read
via "ITPro".
The double extortion specialists claim to have stolen the data days before Montenegro announced a sustained and co-ordinated series of cyber attacks targeting it from Russiaπ Read
via "ITPro".
IT PRO
Cuba ransomware group claims attack on Montenegro government | IT PRO
The double extortion specialists claim to have stolen the data days before Montenegro announced a sustained and co-ordinated series of cyber attacks targeting it from Russia
π’ MI5 reveals it has been working with an AI non-profit on national security since 2017 π’
π Read
via "ITPro".
The security service has been working with The Alan Turing Institute and has decided to unveil the partnership today to allow the pair to work more closely togetherπ Read
via "ITPro".
IT PRO
MI5 reveals it has been working with an AI non-profit on national security since 2017 | IT PRO
The security service has been working with The Alan Turing Institute and has decided to unveil the partnership today to allow the pair to work more closely together
βΌ CVE-2022-37123 βΌ
π Read
via "National Vulnerability Database".
D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/form2userconfig.cgi.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37125 βΌ
π Read
via "National Vulnerability Database".
D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/NTPSyncWithHost.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36051 βΌ
π Read
via "National Vulnerability Database".
ZITADEL combines the ease of Auth0 and the versatility of Keycloak.**Actions**, introduced in ZITADEL **1.42.0** on the API and **1.56.0** for Console, is a feature, where users with role.`ORG_OWNER` are able to create Javascript Code, which is invoked by the system at certain points during the login. **Actions**, for example, allow creating authorizations (user grants) on newly created users programmatically. Due to a missing authorization check, **Actions** were able to grant authorizations for projects that belong to other organizations inside the same Instance. Granting authorizations via API and Console is not affected by this vulnerability. There is currently no known workaround, users should update.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37130 βΌ
π Read
via "National Vulnerability Database".
In D-Link DIR-816 A2_v1.10CNB04.img a command injection vulnerability occurs in /goform/Diagnosis, after the condition is met, setnum will be spliced into v10 by snprintf, and the system will be executed, resulting in a command injection vulnerabilityπ Read
via "National Vulnerability Database".
βΌ CVE-2022-36619 βΌ
π Read
via "National Vulnerability Database".
In D-link DIR-816 A2_v1.10CNB04.img,the network can be reset without authentication via /goform/setMAC.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37129 βΌ
π Read
via "National Vulnerability Database".
D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced into byte_4836B0 by snprintf, and finally doSystem(&byte_4836B0); will be executed, resulting in a command injection.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3072 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3.π Read
via "National Vulnerability Database".
ποΈ WatchGuard firewall exploit threatens appliance takeover ποΈ
π Read
via "The Daily Swig".
One-two bug punch leads to βworst possible impactβ, said researcherπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
WatchGuard firewall exploit threatens appliance takeover
One-two bug punch leads to βworst possible impactβ, said researcher
π1