‼ CVE-2022-39829 ‼
📖 Read
via "National Vulnerability Database".
There is a NULL pointer dereference in aes256_encrypt in Samsung mTower through 0.3.0 due to a missing check on the return value of EVP_CIPHER_CTX_new.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39196 ‼
📖 Read
via "National Vulnerability Database".
Blackboard Learn 1.10.1 allows remote authenticated users to read unintended files by entering student credentials and then directly visiting a certain webapps/bbcms/execute/ URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39830 ‼
📖 Read
via "National Vulnerability Database".
sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39828 ‼
📖 Read
via "National Vulnerability Database".
sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key, leading to a denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39824 ‼
📖 Read
via "National Vulnerability Database".
Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2597 ‼
📖 Read
via "National Vulnerability Database".
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3127 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2376 ‼
📖 Read
via "National Vulnerability Database".
The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2830 ‼
📖 Read
via "National Vulnerability Database".
Deserialization of Untrusted Data vulnerability in the message processing component of Bitdefender GravityZone Console allows an attacker to pass unsafe commands to the environment. This issue affects: Bitdefender GravityZone Console On-Premise versions prior to 6.29.2-1. Bitdefender GravityZone Cloud Console versions prior to 6.27.2-2.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2657 ‼
📖 Read
via "National Vulnerability Database".
The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2271 ‼
📖 Read
via "National Vulnerability Database".
The WP Database Backup WordPress plugin before 5.9 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2083 ‼
📖 Read
via "National Vulnerability Database".
The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2543 ‼
📖 Read
via "National Vulnerability Database".
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2565 ‼
📖 Read
via "National Vulnerability Database".
The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2775 ‼
📖 Read
via "National Vulnerability Database".
The Fast Flow WordPress plugin before 1.2.13 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
⚠ Chrome fixes zero-day security hole reported anonymously – update now! ⚠
📖 Read
via "Naked Security".
This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
🛠 cryptmount Filesystem Manager 6.0 🛠
📖 Read
via "Packet Storm Security".
cryptmount is a utility for creating and managing secure filing systems on GNU/Linux systems. After initial setup, it allows any user to mount or unmount filesystems on demand, solely by providing the decryption password, with any system devices needed to access the filing system being configured automatically. A wide variety of encryption schemes (provided by the kernel dm-crypt system and the libgcrypt library) can be used to protect both the filesystem and the access key. The protected filing systems can reside in either ordinary files or disk partitions. The package also supports encrypted swap partitions, and automatic configuration on system boot-up.📖 Read
via "Packet Storm Security".
Packetstormsecurity
cryptmount Filesystem Manager 6.0 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 GNUnet P2P Framework 0.17.5 🛠
📖 Read
via "Packet Storm Security".
GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.📖 Read
via "Packet Storm Security".
Packetstormsecurity
GNUnet P2P Framework 0.17.5 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🗓️ Squiz Matrix CMS squashes admin account takeover bug 🗓️
📖 Read
via "The Daily Swig".
IDOR issue meant user account privileges and contact details could be altered📖 Read
via "The Daily Swig".
‼ CVE-2022-3122 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Clinics Patient Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file medicine_details.php. The manipulation of the argument medicine leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-207854 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3121 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Online Employee Leave Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/addemployee.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The identifier VDB-207853 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".