βΌ CVE-2022-36736 βΌ
π Read
via "National Vulnerability Database".
Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20696 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the binding configuration of Cisco SD-WAN vManage Software containers could allow an unauthenticated, adjacent attacker who has access to the VPN0 logical network to also access the messaging service ports on an affected system. This vulnerability exists because the messaging server container ports on an affected system lack sufficient protection mechanisms. An attacker could exploit this vulnerability by connecting to the messaging service ports of the affected system. To exploit this vulnerability, the attacker must be able to send network traffic to interfaces within the VPN0 logical network. This network may be restricted to protect logical or physical adjacent networks, depending on device deployment configuration. A successful exploit could allow the attacker to view and inject messages into the messaging service, which can cause configuration changes or cause the system to reload.π Read
via "National Vulnerability Database".
π Hydra Network Logon Cracker 9.4 π
π Read
via "Packet Storm Security".
THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.π Read
via "Packet Storm Security".
Packetstormsecurity
Hydra Network Logon Cracker 9.4 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π Wireshark Analyzer 3.6.8 π
π Read
via "Packet Storm Security".
Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
Wireshark Analyzer 3.6.8 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2022-36090 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36085 βΌ
π Read
via "National Vulnerability Database".
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe ΓΒ’Γ’β¬Òβ¬οΏ½ and as such rejected ΓΒ’Γ’β¬Òβ¬οΏ½ by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isnΓΒ’Γ’β¬ÒβΒ’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3153 βΌ
π Read
via "National Vulnerability Database".
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0403.π Read
via "National Vulnerability Database".
ποΈ Vendor disputes seriousness of firewall plugin RCE flaw ποΈ
π Read
via "The Daily Swig".
pfSense and sensibilityπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Vendor disputes seriousness of firewall plugin RCE flaw
pfSense and sensibility
βΌ CVE-2022-37164 βΌ
π Read
via "National Vulnerability Database".
Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27967 βΌ
π Read
via "National Vulnerability Database".
Cynet 360 Web Portal before v4.5 was discovered to allow attackers to access a list of excluded files and profiles via a crafted GET request sent to /WebApp/SettingsExclusion/GetExclusionsProfiles.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38255 βΌ
π Read
via "National Vulnerability Database".
Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /interview/editQuestion.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38260 βΌ
π Read
via "National Vulnerability Database".
Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=questiondelete&id=.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27968 βΌ
π Read
via "National Vulnerability Database".
Cynet 360 Web Portal before v4.5 was discovered to allow attackers to access a list of monitored files and profiles via a crafted GET request sent to /WebApp/SettingsFileMonitor/GetFileMonitorProfiles.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27969 βΌ
π Read
via "National Vulnerability Database".
Cynet 360 Web Portal before v4.5 was discovered to allow attackers to access a list of decoy users via a crafted GET request sent to /WebApp/DeceptionUser/GetAllDeceptionUsers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22314 βΌ
π Read
via "National Vulnerability Database".
IBM Planning Analytics Local 2.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 217371.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37857 βΌ
π Read
via "National Vulnerability Database".
bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37163 βΌ
π Read
via "National Vulnerability Database".
Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36091 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36100 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-38265 βΌ
π Read
via "National Vulnerability Database".
Apartment Visitor Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /avms/edit-apartment.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38267 βΌ
π Read
via "National Vulnerability Database".
School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the component /modules/user/index.php?view=edit&id=.π Read
via "National Vulnerability Database".