📢 HP patches high-severity security flaw in its own support tool 📢
📖 Read
via "ITPro".
The application that's installed in every HP desktop and notebook was allowing hackers to elevate privileges through a DLL hijacking vulnerability📖 Read
via "ITPro".
IT PRO
HP patches high-severity security flaw in its own support tool | IT PRO
The application that's installed in every HP desktop and notebook was allowing hackers to elevate privileges through a DLL hijacking vulnerability
‼ CVE-2022-28742 ‼
📖 Read
via "National Vulnerability Database".
aEnrich eHRD Learning Management Key Performance Indicator System 5+ has Improper Access Control. The web application does not validate user session when accessing many application pages. This can allow an attacker to gain unauthenticated access to sensitive functionalities in the application📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28741 ‼
📖 Read
via "National Vulnerability Database".
aEnrich a+HRD 5.x Learning Management Key Performance Indicator System has a local file inclusion (LFI) vulnerability that occurs due to missing input validation in v5.x📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36617 ‼
📖 Read
via "National Vulnerability Database".
Arq Backup 7.19.5.0 and below stores backup encryption passwords using reversible encryption. This issue allows attackers with administrative privileges to recover cleartext passwords.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38614 ‼
📖 Read
via "National Vulnerability Database".
An issue in the IGB Files and OutfileService features of SmartVista Cardgen v3.28.0 allows attackers to list and download arbitrary files via modifying the PATH parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38613 ‼
📖 Read
via "National Vulnerability Database".
A Path Traversal vulnerability in SmartVista Cardgen v3.28.0 allows authenticated attackers to read arbitrary files in the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40317 ‼
📖 Read
via "National Vulnerability Database".
OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28740 ‼
📖 Read
via "National Vulnerability Database".
aEnrich eHRD Learning Management Key Performance Indicator System 5+ exposes Sensitive Information to an Unauthorized Actor.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38615 ‼
📖 Read
via "National Vulnerability Database".
SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL injection vulnerabilities via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/service_group.jsf.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39810 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34165 ‼
📖 Read
via "National Vulnerability Database".
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39809 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the name parameter. Session hijacking or similar attacks would not be possible.📖 Read
via "National Vulnerability Database".
🕴 Business Security Starts With Identity 🕴
📖 Read
via "Dark Reading".
How identity-centric security can support business objectives.📖 Read
via "Dark Reading".
Dark Reading
Business Security Starts With Identity
How identity-centric security can support business objectives.
‼ CVE-2022-38639 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Markdown-Nice v1.8.22 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Community Posting field.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44835 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Active Intelligent Visualization 5. The Vdc header is used in a SQL query without being sanitized. This causes SQL injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3133 ‼
📖 Read
via "National Vulnerability Database".
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36109 ‼
📖 Read
via "National Vulnerability Database".
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40647 ‼
📖 Read
via "National Vulnerability Database".
In man2html 1.6g, a specific string being read in from a file will overwrite the size parameter in the top chunk of the heap. This at least causes the program to segmentation abort if the heap size parameter isn't aligned correctly. In version before GLIBC version 2.29 and aligned correctly, it allows arbitrary write anywhere in the programs memory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40648 ‼
📖 Read
via "National Vulnerability Database".
In man2html 1.6g, a filename can be created to overwrite the previous size parameter of the next chunk and the fd, bk, fd_nextsize, bk_nextsize of the current chunk. The next chunk is then freed later on, causing a freeing of an arbitrary amount of memory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31006 ‼
📖 Read
via "National Vulnerability Database".
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose. However, the ledger content will not be impacted and the ledger will resume functioning after the attack. This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network's expected users. The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks. The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38638 ‼
📖 Read
via "National Vulnerability Database".
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.📖 Read
via "National Vulnerability Database".
👍1