‼ CVE-2022-37139 ‼
📖 Read
via "National Vulnerability Database".
Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40626 ‼
📖 Read
via "National Vulnerability Database".
An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36669 ‼
📖 Read
via "National Vulnerability Database".
Hospital Information System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36436 ‼
📖 Read
via "National Vulnerability Database".
OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacker with network access to the proxy server could leverage this vulnerability to connect to VNC servers protected by the proxy server without providing any authentication credentials. Exploitation of this issue requires that the proxy server is currently accepting connections for the target VNC server.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40673 ‼
📖 Read
via "National Vulnerability Database".
KDiskMark before 3.1.0 lacks authorization checking for D-Bus methods such as Helper::flushPageCache.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34831 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Keyfactor PrimeKey EJBCA before 7.9.0, related to possible inconsistencies in DNS identifiers submitted in an ACME order and the corresponding CSR submitted during finalization. During the ACME enrollment process, an order is submitted containing an identifier for one or multiple dnsNames. These are validated properly in the ACME challenge. However, if the validation passes, a non-compliant client can include additional dnsNames the CSR sent to the finalize endpoint, resulting in EJBCA issuing a certificate including the identifiers that were not validated. This occurs even if the certificate profile is configured to not allow a DN override by the CSR.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37137 ‼
📖 Read
via "National Vulnerability Database".
PayMoney 3.3 is vulnerable to Stored Cross-Site Scripting (XSS) during replying the ticket. The XSS can be obtain from injecting under "Message" field with "description" parameter with the specially crafted payload to gain Stored XSS. The XSS then will prompt after that or can be access from the view ticket function.📖 Read
via "National Vulnerability Database".
🕴 TeamTNT Hits 150K Docker Containers via Malicious Cloud Images 🕴
📖 Read
via "Dark Reading".
Honeypot activity exposed two credentials that the threat actor is using to host and distribute malicious container images, security vendor says.📖 Read
via "Dark Reading".
Dark Reading
TeamTNT Hits Docker Containers via 150K Malicious Cloud Image Pulls
Honeypot activity exposed two credentials that the threat actor is using to host and distribute malicious container images, security vendor says.
🕴 Cyberattacks Are Now Increasingly Hands-On, Break Out More Quickly 🕴
📖 Read
via "Dark Reading".
Interactive intrusion campaigns jumped nearly 50%, while the breakout time between initial access and lateral movement shrank to less than 90 minutes, putting pressure on defenders to react quickly.📖 Read
via "Dark Reading".
Dark Reading
Cyberattacks Are Now Increasingly Hands-On, Break Out More Quickly
Interactive intrusion campaigns jumped nearly 50%, while the breakout time between initial access and lateral movement shrank to less than 90 minutes, putting pressure on defenders to react quickly.
🕴 To Ease the Cybersecurity Worker Shortage, Broaden the Candidate Pipeline 🕴
📖 Read
via "Dark Reading".
With enough passion, intelligence, and effort, anyone can be a successful cybersecurity professional, regardless of education or background.📖 Read
via "Dark Reading".
Dark Reading
To Ease the Cybersecurity Worker Shortage, Broaden the Candidate Pipeline
With enough passion, intelligence, and effort, anyone can be a successful cybersecurity professional, regardless of education or background.
‼ CVE-2022-37661 ‼
📖 Read
via "National Vulnerability Database".
SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature.📖 Read
via "National Vulnerability Database".
🛠 Faraday 4.1.0 🛠
📖 Read
via "Packet Storm Security".
Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Faraday 4.1.0 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
👍2
‼ CVE-2022-3202 ‼
📖 Read
via "National Vulnerability Database".
A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22520 ‼
📖 Read
via "National Vulnerability Database".
A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38796 ‼
📖 Read
via "National Vulnerability Database".
A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails.📖 Read
via "National Vulnerability Database".
🕴 SparklingGoblin Updates Linux Version of SideWalk Backdoor in Ongoing Cyber Campaign 🕴
📖 Read
via "Dark Reading".
Researchers link the APT to an attack on a Hong Kong university, which compromised multiple key servers using advanced Linux malware.📖 Read
via "Dark Reading".
Dark Reading
SparklingGoblin Updates Linux Version of SideWalk Backdoor in Ongoing Cyber Campaign
Researchers link the APT to an attack on a Hong Kong university, which compromised multiple key servers using advanced Linux malware.
🕴 Should Hacking Have A Code Of Conduct? 🕴
📖 Read
via "Dark Reading".
For white hats who play by the rules, here are five ethical tenets to consider.📖 Read
via "Dark Reading".
Dark Reading
Attacks/Breaches recent news | page 1 of 869 | Dark Reading
Breaking news, news analysis, and expert commentary on cyberattacks and data breaches, as well as tools, technologies, and practices for threat defense
‼ CVE-2022-20364 ‼
📖 Read
via "National Vulnerability Database".
In sysmmu_unmap of TBD, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-233606615References: N/A📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3212 ‼
📖 Read
via "National Vulnerability Database".
<bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0029 ‼
📖 Read
via "National Vulnerability Database".
An improper link resolution vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local attacker to read files on the system with elevated privileges when generating a tech support file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20231 ‼
📖 Read
via "National Vulnerability Database".
In smc_intc_request_fiq of arm_gic.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-211485702References: N/A📖 Read
via "National Vulnerability Database".