‼ CVE-2022-37185 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability exists in the school information query interface (repschoolproj.php) of the EMS 6.2 system of the Office of the Thai Basic Education Commission, which can lead to data leakage.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36663 ‼
📖 Read
via "National Vulnerability Database".
Gluu Oxauth before v4.4.1 allows attackers to execute blind SSRF (Server-Side Request Forgery) attacks via a crafted request_uri parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26858 ‼
📖 Read
via "National Vulnerability Database".
Dell BIOS versions contain an Improper Authentication vulnerability. A locally authenticated malicious user could potentially exploit this vulnerability by sending malicious input to an SMI in order to bypass security controls.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3134 ‼
📖 Read
via "National Vulnerability Database".
Use After Free in GitHub repository vim/vim prior to 9.0.0388.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36040 ‼
📖 Read
via "National Vulnerability Database".
Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to an out-of-bounds write when getting data from PYC(python) files. A user opening a malicious PYC file could be affected by this vulnerability, allowing an attacker to execute code on the user's machine. Commit number 68948017423a12786704e54227b8b2f918c2fd27 contains a patch.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36065 ‼
📖 Read
via "National Vulnerability Database".
GrowthBook is an open-source platform for feature flagging and A/B testing. With some self-hosted configurations in versions prior to 2022-08-29, attackers can register new accounts and upload files to arbitrary directories within the container. If the attacker uploads a Python script to the right location, they can execute arbitrary code within the container. To be affected, ALL of the following must be true: Self-hosted deployment (GrowthBook Cloud is unaffected); using local file uploads (as opposed to S3 or Google Cloud Storage); NODE_ENV set to a non-production value and JWT_SECRET set to an easily guessable string like `dev`. This issue is patched in commit 1a5edff8786d141161bf880c2fd9ccbe2850a264 (2022-08-29). As a workaround, set `JWT_SECRET` environment variable to a long random string. This will stop arbitrary file uploads, but the only way to stop attackers from registering accounts is by updating to the latest build.📖 Read
via "National Vulnerability Database".
🕴 Report Highlights Prevalence of Software Supply Chain Risks 🕴
📖 Read
via "Dark Reading".
Multiclient research report shows organizations are significantly increasing efforts to secure their supply chains in response to software supply chain attacks.📖 Read
via "Dark Reading".
Dark Reading
Report Highlights Prevalence of Software Supply Chain Risks
Multiclient research report shows organizations are significantly increasing efforts to secure their supply chains in response to software supply chain attacks.
🗓️ A rough guide to launching a career in cybersecurity 🗓️
📖 Read
via "The Daily Swig".
Entry-level training courses offer paths to glory📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
A rough guide to launching a career in cybersecurity
Entry-level training courses offer paths to glory
‼ CVE-2022-40023 ‼
📖 Read
via "National Vulnerability Database".
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37189 ‼
📖 Read
via "National Vulnerability Database".
DDMAL MEI2Volpiano 0.8.2 is vulnerable to XML External Entity (XXE), leading to a Denial of Service. This occurs due to the usage of the unsafe 'xml.etree' library to parse untrusted XML input.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-36659 ‼
📖 Read
via "National Vulnerability Database".
xhyve commit dfbe09b was discovered to contain a NULL pointer dereference via the component vi_pci_write(). This vulnerability allows attackers to cause a Denial of Service via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36660 ‼
📖 Read
via "National Vulnerability Database".
xhyve commit dfbe09b was discovered to contain a stack buffer overflow via the component pci_vtrnd_notify().📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36539 ‼
📖 Read
via "National Vulnerability Database".
WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31414 ‼
📖 Read
via "National Vulnerability Database".
D-Link DIR-1960 firmware DIR-1960_A1_1.11 was discovered to contain a buffer overflow via srtcat in prog.cgi. This vulnerability allowed attackers to cause a Denial of Service (DoS) via a crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36661 ‼
📖 Read
via "National Vulnerability Database".
xhyve commit dfbe09b was discovered to contain a NULL pointer dereference via the component vi_pci_read(). This vulnerability allows attackers to cause a Denial of Service via unspecified vectors.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-37780 ‼
📖 Read
via "National Vulnerability Database".
Phicomm FIR151B A2, FIR302E A2, FIR300B A2, FIR303B A2 routers V3.0.1.17 were discovered to contain a remote command execution (RCE) vulnerability via the pingAddr parameter of the tracert function.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36587 ‼
📖 Read
via "National Vulnerability Database".
In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, there is a buffer overflow vulnerability caused by sprintf in function in the httpd binary.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-3129 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in codeprojects Online Driving School. It has been rated as critical. Affected by this issue is some unknown functionality of the file /registration.php. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-207872.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36080 ‼
📖 Read
via "National Vulnerability Database".
Wikmd is a file based wiki that uses markdown. Prior to version 1.7.1, an attacker could capture user's session cookies or execute malicious Javascript when a victim edits a markdown file. Version 1.7.1 fixes this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36081 ‼
📖 Read
via "National Vulnerability Database".
Wikmd is a file based wiki that uses markdown. Prior to version 1.7.1, Wikmd is vulnerable to path traversal when accessing `/list/<path:folderpath>` and discloses lists of files located on the server including sensitive data. Version 1.7.1 fixes this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36079 ‼
📖 Read
via "National Vulnerability Database".
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.📖 Read
via "National Vulnerability Database".