βΌ CVE-2022-3130 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in codeprojects Online Driving School. This affects an unknown part of the file /login.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-207873 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36049 βΌ
π Read
via "National Vulnerability Database".
Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux's helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.π Read
via "National Vulnerability Database".
π Trade Secrets: What Your Company Needs to Know π
π Read
via "".
What are trade secrets and what makes them so important? As an organization, when you identify a piece of information as a trade secret you should take steps to protect it and keep it from being disclosed.π Read
via "".
βΌ CVE-2022-38254 βΌ
π Read
via "National Vulnerability Database".
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the ajax.php script in CCM 3.1.5.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36083 βΌ
π Read
via "National Vulnerability Database".
JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive. This makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish. Under certain conditions, it is possible to have the user's environment consume unreasonable amount of CPU time. The impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means. The `v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option. If users are unable to upgrade their required library version, they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms. They can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether, or they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter).π Read
via "National Vulnerability Database".
βΌ CVE-2022-36089 βΌ
π Read
via "National Vulnerability Database".
KubeVela is an application delivery platform Users using KubeVela's VelaUX APIServer could be affected by an authentication bypass vulnerability. In KubeVela prior to versions 1.4.11 and 1.5.4, VelaUX APIServer uses the `PlatformID` as the signed key to generate the JWT tokens for users. Another API called `getSystemInfo` exposes the platformID. This vulnerability allows users to use the platformID to re-generate the JWT tokens to bypass the authentication. Versions 1.4.11 and 1.5.4 contain a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36086 βΌ
π Read
via "National Vulnerability Database".
linked_list_allocator is an allocator usable for no_std systems. Prior to version 0.10.2, the heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than `3 * size_of::<usize>` because of metadata write operations. This vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method. Version 0.10.2 contains a patch for the issue. As a workaround, ensure that the heap is only initialized with a size larger than `3 * size_of::<usize>` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::<usize>()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::<usize>()`.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36082 βΌ
π Read
via "National Vulnerability Database".
mangadex-downloader is a command-line tool to download manga from MangaDex. When using `file:<location>` command and `<location>` is a web URL location (http, https), mangadex-downloader between versions 1.3.0 and 1.7.2 will try to open and read a file in local disk for each line of website contents. Version 1.7.2 contains a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38248 βΌ
π Read
via "National Vulnerability Database".
Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38251 βΌ
π Read
via "National Vulnerability Database".
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38250 βΌ
π Read
via "National Vulnerability Database".
Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38249 βΌ
π Read
via "National Vulnerability Database".
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36088 βΌ
π Read
via "National Vulnerability Database".
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36585 βΌ
π Read
via "National Vulnerability Database".
In Tenda G3 US_G3V3.0br_V15.11.0.6(7663)_EN_TDE, in httpd binary, the addDhcpRule function has a buffer overflow caused by sscanf.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19914 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in xiunobbs 4.0.4 allows remote attackers to execute arbitrary web script or HTML via the attachment upload function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38247 βΌ
π Read
via "National Vulnerability Database".
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Settings page under the Admin panel.π Read
via "National Vulnerability Database".
π1
π’ Signal hires former Google manager Meredith Whittaker as first president π’
π Read
via "ITPro".
An outspoken critic of the dangers of AI, Whittaker promises to keep Signal users out of tech giants' "surveillant gaze"π Read
via "ITPro".
IT PRO
Signal hires former Google manager Meredith Whittaker as first president | IT PRO
An outspoken critic of the dangers of AI, Whittaker promises to keep Signal users out of tech giants' "surveillant gaze"
π1
π’ German firms beef up cyber security to stay ahead of new threats π’
π Read
via "ITPro".
Ongoing Russia-Ukraine war increased digitisation, and disruptions from COVID-19 call for advanced security tools and servicesπ Read
via "ITPro".
IT PRO
German firms beef up cyber security to stay ahead of new threats | IT PRO
Ongoing Russia-Ukraine war increased digitisation, and disruptions from COVID-19 call for advanced security tools and services
π’ Sophos: Retail organisations pay significantly less in ransomware attacks π’
π Read
via "ITPro".
It's a game of volume in retail since despite being the second-most targeted industry, the average payment per case is well below the industry averageπ Read
via "ITPro".
IT PRO
Sophos: Retail organisations pay significantly less in ransomware attacks | IT PRO
It's a game of volume in retail since despite being the second-most targeted industry, the average payment per case is well below the industry average
π’ Second-largest US school district falls to ransomware attack π’
π Read
via "ITPro".
Los Angeles Unified School District detected βunusual activityβ across its IT systems over the weekendπ Read
via "ITPro".
IT PRO
Second-largest US school district falls to ransomware attack | IT PRO
Los Angeles Unified School District detected βunusual activityβ across its IT systems over the weekend
π’ Japan investigates potential Russian Killnet cyber attacks π’
π Read
via "ITPro".
The hacker group has said itβs revolting against the countryβs militarism and that itβs βkicking the samuraiβπ Read
via "ITPro".
IT PRO
Japan investigates potential Russian Killnet cyber attacks | IT PRO
The hacker group has said itβs revolting against the countryβs militarism and that itβs βkicking the samuraiβ