‼ CVE-2022-40622 ‼
📖 Read
via "National Vulnerability Database".
The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address to match the logged-in administrator's, or is behind the same NAT as the logged in administrator, session takeover is possible.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20393 ‼
📖 Read
via "National Vulnerability Database".
In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure from the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-233735886📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39817 ‼
📖 Read
via "National Vulnerability Database".
In NOKIA 1350 OMS R14.2, multiple SQL Injection vulnerabilities occur in /cgi-bin/R14.2/easy1350.pl via the id or host HTTP GET parameter, or /cgi-bin/R14.2/cgi-bin/R14.2/host.pl via the host HTTP GET parameter. Exploitation requires an authenticated attacker.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39815 ‼
📖 Read
via "National Vulnerability Database".
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occur in /CGI-BIN/OTNE_1-14/runBatch.cgi via the file HTTP POST parameter, /CGI-BIN/OTNE_1-14/getRadioTLs.cgi via the context HTTP POST parameter, /CGI-BIN/OTNE_1-14/runRouteReport.cgi via the file HTTP POST parameter or /CGI-BIN/RemoteCommandManager.cgi via the command HTTP POST parameter.📖 Read
via "National Vulnerability Database".
👍1
🕴 Bishop Fox Releases Cloud Enumeration Tool CloudFox 🕴
📖 Read
via "Dark Reading".
CloudFox is a command-line tool to help penetration testers understand unknown cloud environments.📖 Read
via "Dark Reading".
Dark Reading
Bishop Fox Releases Cloud Enumeration Tool CloudFox
CloudFox is a command-line tool that helps penetration testers understand unknown cloud environments.
‼ CVE-2021-36568 ‼
📖 Read
via "National Vulnerability Database".
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31861 ‼
📖 Read
via "National Vulnerability Database".
Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38768 ‼
📖 Read
via "National Vulnerability Database".
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to bypass authorization.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31322 ‼
📖 Read
via "National Vulnerability Database".
Penta Security Systems Inc WAPPLES v6.0 r3 4.10-hotfix1 allows attackers to escalate privileges via overwriting files using SUID flagged executables.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37190 ‼
📖 Read
via "National Vulnerability Database".
CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34101 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38633 ‼
📖 Read
via "National Vulnerability Database".
Genymotion Desktop v3.2.1 was discovered to contain a DLL hijacking vulnerability which allows attackers to escalate privileges and execute arbitrary code via a crafted binary.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38771 ‼
📖 Read
via "National Vulnerability Database".
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to send SCRIPT tags as injected input to the API request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37191 ‼
📖 Read
via "National Vulnerability Database".
The component "cuppa/api/index.php" of CuppaCMS v1.0 is Vulnerable to LFI. An authenticated user can read system files via crafted POST request using [function] parameter value as LFI payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38770 ‼
📖 Read
via "National Vulnerability Database".
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch other users' data upon a successful login request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31324 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file download vulnerability in the downloadAction() function of Penta Security Systems Inc WAPPLES v6.0 r3 4.10-hotfix1 allows attackers to download arbitrary files via a crafted POST request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38305 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the component /admin/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35413 ‼
📖 Read
via "National Vulnerability Database".
WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38769 ‼
📖 Read
via "National Vulnerability Database".
The mobile application in Transtek Mojodat FAM (Fixed Asset Management) 2.4.6 allows remote attackers to fetch cleartext passwords upon a successful login request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35582 ‼
📖 Read
via "National Vulnerability Database".
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34102 ‼
📖 Read
via "National Vulnerability Database".
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.📖 Read
via "National Vulnerability Database".