βΌ CVE-2022-36098 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38269 βΌ
π Read
via "National Vulnerability Database".
School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the component /modules/modstudent/index.php?view=edit&id=.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36097 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36096 βΌ
π Read
via "National Vulnerability Database".
The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36095 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply the changes exposed there.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38268 βΌ
π Read
via "National Vulnerability Database".
School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the component /modules/autonumber/index.php?view=edit&id=.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36094 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40299 βΌ
π Read
via "National Vulnerability Database".
In Singular before 4.3.1, a predictable /tmp pathname is used (e.g., by sdb.cc), which allows local users to gain the privileges of other users via a procedure in a file under /tmp. NOTE: this CVE Record is about sdb.cc and similar files in the Singular interface that have predictable /tmp pathnames; this CVE Record is not about the lack of a safe temporary-file creation capability in the Singular language.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40297 βΌ
π Read
via "National Vulnerability Database".
UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be used for a privileged shell via Sudo. This passcode is only four digits, far below typical length/complexity for a user account's password.π Read
via "National Vulnerability Database".
βοΈ Transacting in Person with Strangers from the Internet βοΈ
π Read
via "Krebs on Security".
Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don't deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you've agreed to meet has other intentions.π Read
via "Krebs on Security".
Krebs on Security
Transacting in Person with Strangers from the Internet
Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don't deserve to end up inβ¦
ποΈ ManageEngine vulnerability posed code injection risk for password management software ποΈ
π Read
via "The Daily Swig".
Authentication-free flaw opened the door to a raft of exploitsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
ManageEngine vulnerability posed code injection risk for password management software
Authentication-free flaw opened the door to a raft of exploits
ποΈ Six-year-old blind SSRF vulnerability in WordPress Core feature could enable DDoS attacks ποΈ
π Read
via "The Daily Swig".
Issue present in pingback requests featureπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Six-year-old blind SSRF vulnerability in WordPress Core feature could enable DDoS attacks
Issue present in pingback requests feature
π Friday Five 9/9 π
π Read
via "".
This week saw two social media giants come under fire once again, malware that cons cybercriminals, and more cyberattacks in Ukraine. Read about these stories and more in this week's Friday Five!
π Read
via "".
βΌ CVE-2022-38144 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36861 βΌ
π Read
via "National Vulnerability Database".
Custom permission misuse vulnerability in SystemUI prior to SMR Sep-2022 Release 1 allows attacker to use some protected functions with SystemUI privilege.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26390 βΌ
π Read
via "National Vulnerability Database".
The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36793 βΌ
π Read
via "National Vulnerability Database".
Unauthenticated Plugin Settings Change & Data Deletion vulnerabilities in WP Shop plugin <= 3.9.6 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36869 βΌ
π Read
via "National Vulnerability Database".
Improper access control vulnerability in ContactsDumpActivity of?Contacts Provider prior to version 12.7.59 allows attacker to access the file without permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36423 βΌ
π Read
via "National Vulnerability Database".
OpenHarmony-v3.1.2 and prior versions have an incorrect configuration of the cJSON library, which leads a Stack overflow vulnerability during recursive parsing. LAN attackers can lead a DoS attack to all network devices.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36864 βΌ
π Read
via "National Vulnerability Database".
Improper access control and intent redirection in Samsung Email prior to 6.1.70.20 allows attacker to access specific formatted file and execute privileged behavior.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36852 βΌ
π Read
via "National Vulnerability Database".
Improper Authorization vulnerability in Video Editor prior to SMR Sep-2022 Release 1 allows local attacker to access internal application data.π Read
via "National Vulnerability Database".