β How to deal with dates and times without any timezone tantrumsβ¦ β
π Read
via "Naked Security".
Heartfelt encouragement to embrace RFC 3339 - find out why!π Read
via "Naked Security".
Naked Security
How to deal with dates and times without any timezone tantrumsβ¦
Heartfelt encouragement to embrace RFC 3339 β find out why!
βΌ CVE-2022-3178 βΌ
π Read
via "National Vulnerability Database".
Buffer Over-read in GitHub repository gpac/gpac prior to 2.1.0-DEV.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31220 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain an Unchecked Return Value vulnerability. A local authenticated administrator user could potentially exploit this vulnerability in order to change the state of the system or cause unexpected failures.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37300 βΌ
π Read
via "National Vulnerability Database".
A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability exists that could cause unauthorized access in read and write mode to the controller when communicating over Modbus. Affected Products: EcoStruxure Control Expert Including all Unity Pro versions (former name of EcoStruxure Control Expert) (V15.0 SP1 and prior), EcoStruxure Process Expert, Including all versions of EcoStruxure Hybrid DCS (former name of EcoStruxure Process Expert) (V2021 and prior), Modicon M340 CPU (part numbers BMXP34*) (V3.40 and prior), Modicon M580 CPU (part numbers BMEP* and BMEH*) (V3.20 and prior).π Read
via "National Vulnerability Database".
βΌ CVE-2022-31224 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain an Improper Protection Against Voltage and Clock Glitches vulnerability. An attacker with physical access to the system could potentially exploit this vulnerability by triggering a fault condition in order to change the behavior of the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31223 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain an Improper Neutralization of Null Byte vulnerability. A local authenticated administrator user could potentially exploit this vulnerability by sending unexpected null bytes in order to read memory on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31221 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain an Information Exposure vulnerability. A local authenticated administrator user could potentially exploit this vulnerability in order access sensitive state information on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31222 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain a Missing Release of Resource after Effective Lifetime vulnerability. A local authenticated administrator user could potentially exploit this vulnerability by consuming excess memory in order to cause the application to crash.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31226 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain a Stack-based Buffer Overflow vulnerability. A local authenticated malicious user could potentially exploit this vulnerability by sending excess data to a function in order to gain arbitrary code execution on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31225 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS versions contain an Unchecked Return Value vulnerability. A local authenticated administrator user could potentially exploit this vulnerability in order to change the state of the system or cause unexpected failures.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1700 βΌ
π Read
via "National Vulnerability Database".
Improper Restriction of XML External Entity Reference ('XXE') vulnerability in the Policy Engine of Forcepoint Data Loss Prevention (DLP), which is also leveraged by Forcepoint One Endpoint (F1E), Web Security Content Gateway, Email Security with DLP enabled, and Cloud Security Gateway prior to June 20, 2022. The XML parser in the Policy Engine was found to be improperly configured to support external entities and external DTD (Document Type Definitions), which can lead to an XXE attack. This issue affects: Forcepoint Data Loss Prevention (DLP) versions prior to 8.8.2. Forcepoint One Endpoint (F1E) with Policy Engine versions prior to 8.8.2. Forcepoint Web Security Content Gateway versions prior to 8.5.5. Forcepoint Email Security with DLP enabled versions prior to 8.5.5. Forcepoint Cloud Security Gateway prior to June 20, 2022.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37860 βΌ
π Read
via "National Vulnerability Database".
The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.π Read
via "National Vulnerability Database".
β Apple patches a zero-day hole β even in the brand new iOS 16 β
π Read
via "Naked Security".
Five updates, one upgrade, plus a zero-day. Patch your Macs, iPhones and iPads as soon as you can (again)...π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2021-44426 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in AnyDesk before 6.2.6 and 6.3.x before 6.3.5. An upload of an arbitrary file to a victim's local ~/Downloads/ directory is possible if the victim is using the AnyDesk Windows client to connect to a remote machine, if an attacker is also connected remotely with AnyDesk to the same remote machine. The upload is done without any approval or action taken by the victim.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38605 βΌ
π Read
via "National Vulnerability Database".
Church Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/edit_event.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38295 βΌ
π Read
via "National Vulnerability Database".
Cuppa CMS v1.0 was discovered to contain a cross-site scripting vulnerability at /table_manager/view/cu_user_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Add New Group function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39200 βΌ
π Read
via "National Vulnerability Database".
Dendrite is a Matrix homeserver written in Go. In affected versions events retrieved from a remote homeserver using the `/get_missing_events` path did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable. The problem has been fixed in Dendrite 0.9.8. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38606 βΌ
π Read
via "National Vulnerability Database".
Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editcategory.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36102 βΌ
π Read
via "National Vulnerability Database".
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Users are advised to update to the current version (5.7.15). Users can get the update via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38135 βΌ
π Read
via "National Vulnerability Database".
Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36173 βΌ
π Read
via "National Vulnerability Database".
FreshService macOS Agent < 4.4.0 and FreshServce Linux Agent < 3.4.0 are vulnerable to TLS Man-in-The-Middle via the FreshAgent client and scheduled update service.π Read
via "National Vulnerability Database".