β Interested in cybersecurity? Join us for Security SOS Week 2022! β
π Read
via "Naked Security".
Four one-on-one interviews with experts who are passionate about sharing their expertise with the community.π Read
via "Naked Security".
Naked Security
Interested in cybersecurity? Join us for Security SOS Week 2022!
Four one-on-one interviews with experts who are passionate about sharing their expertise with the community.
βΌ CVE-2022-3255 βΌ
π Read
via "National Vulnerability Database".
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3068 βΌ
π Read
via "National Vulnerability Database".
Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38928 βΌ
π Read
via "National Vulnerability Database".
XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2888 βΌ
π Read
via "National Vulnerability Database".
If an attacker comes into the possession of a victim's OctoPrint session cookie through whatever means, the attacker can use this cookie to authenticate as long as the victim's account exists.π Read
via "National Vulnerability Database".
βοΈ SIM Swapper Abducted, Beaten, Held for $200k Ransom βοΈ
π Read
via "Krebs on Security".
A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen's captives held guns to his head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life. The youth is now reportedly cooperating with U.S. federal investigators, who are responding to an alarming number of reports of physical violence tied to certain online crime communities.π Read
via "Krebs on Security".
Krebs on Security
SIM Swapper Abducted, Beaten, Held for $200k Ransom
A Florida teenager who served as a lackey for a cybercriminal group that specializes in cryptocurrency thefts was beaten and kidnapped last week by a rival cybercrime gang. The teen's captives held guns to his head while forcing him toβ¦
π€―1
βΌ CVE-2022-41234 βΌ
π Read
via "National Vulnerability Database".
Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41253 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins CONS3RT Plugin 1.0.0 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41229 βΌ
π Read
via "National Vulnerability Database".
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37027 βΌ
π Read
via "National Vulnerability Database".
Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that can modify the Runtime Options in the web interface can inject Java Runtime Options. These take effect after a restart. For example, an attacker can enable JMX services and consequently achieve remote code execution as the system user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41236 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Security Inspector Plugin 117.v6eecc36919c2 and earlier allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the .../report URL with a report based on attacker-specified report generation options.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41227 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers to connect to an attacker-specified webserver using attacker-specified credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41247 βΌ
π Read
via "National Vulnerability Database".
Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41235 βΌ
π Read
via "National Vulnerability Database".
Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41249 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41243 βΌ
π Read
via "National Vulnerability Database".
Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41237 βΌ
π Read
via "National Vulnerability Database".
Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41245 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in Jenkins Worksoft Execution Manager Plugin 10.0.3.503 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41230 βΌ
π Read
via "National Vulnerability Database".
Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41250 βΌ
π Read
via "National Vulnerability Database".
A missing permission check in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3250 βΌ
π Read
via "National Vulnerability Database".
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.π Read
via "National Vulnerability Database".