βΌ CVE-2022-37962 βΌ
π Read
via "National Vulnerability Database".
Microsoft PowerPoint Remote Code Execution Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39206 βΌ
π Read
via "National Vulnerability Database".
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39207 βΌ
π Read
via "National Vulnerability Database".
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same context as the UI without any further restrictions. This leads to Cross-Site Scripting (XSS) when a user creates a build artifact that contains HTML. When accessing the artifact, the content is rendered by the browser, including any JavaScript that it contains. Since all cookies (except for the rememberMe one) do not set the HttpOnly flag, an attacker could steal the session of a victim and use it to impersonate them. To exploit this issue, attackers need to be able to modify the content of artifacts, which usually means they need to be able to modify a project's build spec. The exploitation requires the victim to click on an attacker's link. It can be used to elevate privileges by targeting admins of a OneDev instance. In the worst case, this can lead to arbitrary code execution on the server, because admins can create Server Shell Executors and use them to run any command on the server. This issue has been patched in version 7.3.0. Users are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38007 βΌ
π Read
via "National Vulnerability Database".
Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34719 βΌ
π Read
via "National Vulnerability Database".
Windows Distributed File System (DFS) Elevation of Privilege Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39203 βΌ
π Read
via "National Vulnerability Database".
matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Attackers can specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel. The vulnerability has been patched in matrix-appservice-irc 0.35.0. As a workaround operators may disable dynamic channel joining via `dynamicChannels.enabled` to prevent users from joining new channels, which prevents any new channels being bridged outside of what is already bridged, and what is specified in the config.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36106 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the expiration time of a password reset link for TYPO3 backend users has never been evaluated. As a result, a password reset link could be used to perform a password reset even if the default expiry time of two hours has been exceeded. Update to TYPO3 version 10.4.32 or 11.5.16 that fix the problem. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
β Serious Security: Browser-in-the-browser attacks β watch out for windows that arenβt! β
π Read
via "Naked Security".
It sounds like a scam that could never work: use a picture of browser and convince the user it's a real browser. You might be surprised...π Read
via "Naked Security".
Naked Security
Serious Security: Browser-in-the-browser attacks β watch out for windows that arenβt!
Simple but super-sneaky β use a picture of a browser, and convince people itβs realβ¦
π΄ Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs π΄
π Read
via "Dark Reading".
In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.π Read
via "Dark Reading".
Dark Reading
Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs
In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.
π1
βΌ CVE-2022-34356 βΌ
π Read
via "National Vulnerability Database".
IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to obtain root privileges. IBM X-Force ID: 230502.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0871 βΌ
π Read
via "National Vulnerability Database".
In PVRSRVBridgePMRPDumpSymbolicAddr of the PowerVR kernel driver, a missing size check means there is a possible integer overflow that could allow out-of-bounds heap access. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-238921253π Read
via "National Vulnerability Database".
βΌ CVE-2022-20387 βΌ
π Read
via "National Vulnerability Database".
Summary:Product: AndroidVersions: Android SoCAndroid ID: A-238227324π Read
via "National Vulnerability Database".
βΌ CVE-2022-2962 βΌ
π Read
via "National Vulnerability Database".
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20388 βΌ
π Read
via "National Vulnerability Database".
Summary:Product: AndroidVersions: Android SoCAndroid ID: A-238227323π Read
via "National Vulnerability Database".
βΌ CVE-2022-34336 βΌ
π Read
via "National Vulnerability Database".
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229714.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0942 βΌ
π Read
via "National Vulnerability Database".
The path in this case is a little bit convoluted. The end result is that via an ioctl an untrusted app can control the ui32PageIndex offset in the expression:sPA.uiAddr = page_to_phys(psOSPageArrayData->pagearray[ui32PageIndex]);With the current PoC this crashes as an OOB read. However, given that the OOB read value is ending up as the address field of a struct I think i seems plausible that this could lead to an OOB write if the attacker is able to cause the OOB read to pull an interesting kernel address. Regardless if this is a read or write, it is a High severity issue in the kernel.Product: AndroidVersions: Android SoCAndroid ID: A-238904312π Read
via "National Vulnerability Database".
βΌ CVE-2022-20396 βΌ
π Read
via "National Vulnerability Database".
In SettingsActivity.java, there is a possible way to make a device discoverable over Bluetooth, without permission or user interaction, due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12L Android-13Android ID: A-234440688π Read
via "National Vulnerability Database".
βΌ CVE-2022-20398 βΌ
π Read
via "National Vulnerability Database".
In addOrUpdateNetwork of WifiServiceImpl.java, there is a possible way for a guest user to configure Wi-Fi due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-221859734π Read
via "National Vulnerability Database".
βΌ CVE-2022-20395 βΌ
π Read
via "National Vulnerability Database".
In checkAccess of MediaProvider.java, there is a possible file deletion due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-221855295π Read
via "National Vulnerability Database".
βΌ CVE-2022-20389 βΌ
π Read
via "National Vulnerability Database".
Summary:Product: AndroidVersions: Android SoCAndroid ID: A-238257004π Read
via "National Vulnerability Database".
βΌ CVE-2022-39819 βΌ
π Read
via "National Vulnerability Database".
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occur in /cgi-bin/R14.2/log.pl via the cmd HTTP GET parameter and /cgi-bin/R14.2/checkping.pl via the addr HTTP GET parameter. This allows authenticated users to execute commands on the operating system.π Read
via "National Vulnerability Database".