‼ CVE-2022-28977 ‼
📖 Read
via "National Vulnerability Database".
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35896 ‼
📖 Read
via "National Vulnerability Database".
An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40186 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in HashiCorp Vault and Vault Enterprise before 1.11.3. A vulnerability in the Identity Engine was found where, in a deployment where an entity has multiple mount accessors with shared alias names, Vault may overwrite metadata to the wrong alias due to an issue with checking the proper alias assigned to an entity. This may allow for unintended access to key/value paths using that metadata in Vault.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28978 ‼
📖 Read
via "National Vulnerability Database".
Stored cross-site scripting (XSS) vulnerability in the Site module's user membership administration page in Liferay Portal 7.0.1 through 7.4.1, and Liferay DXP 7.0 before fix pack 102, 7.1 before fix pack 26, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the a user's name.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28980 ‼
📖 Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter_ prefix.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28982 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Liferay Portal v7.3.3 through v7.4.2 and Liferay DXP v7.3 before service pack 3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name of a tag.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39197 ‼
📖 Read
via "National Vulnerability Database".
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39975 ‼
📖 Read
via "National Vulnerability Database".
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a "Content Page" type page, allowing attackers to view unpublished "Content Page" pages via URL manipulation.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38512 ‼
📖 Read
via "National Vulnerability Database".
The Translation module in Liferay Portal v7.4.3.12 through v7.4.3.36, and Liferay DXP 7.4 update 8 through 36 does not check permissions before allowing a user to export a web content for translation, allowing attackers to download a web content page's XLIFF translation file via crafted URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3267 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3268 ‼
📖 Read
via "National Vulnerability Database".
Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3256 ‼
📖 Read
via "National Vulnerability Database".
Use After Free in GitHub repository vim/vim prior to 9.0.0530.📖 Read
via "National Vulnerability Database".
🗓️ Tarfile path traversal bug from 2007 still present in 350k open source repos 🗓️
📖 Read
via "The Daily Swig".
Warning added to Python documentation was deemed preferable to a patch📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Tarfile path traversal bug from 2007 still present in 350k open source repos
Warning added to Python documentation was deemed preferable to a patch
‼ CVE-2022-40446 ‼
📖 Read
via "National Vulnerability Database".
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40443 ‼
📖 Read
via "National Vulnerability Database".
An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40447 ‼
📖 Read
via "National Vulnerability Database".
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40146 ‼
📖 Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38398 ‼
📖 Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40444 ‼
📖 Read
via "National Vulnerability Database".
ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1941 ‼
📖 Read
via "National Vulnerability Database".
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38648 ‼
📖 Read
via "National Vulnerability Database".
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.📖 Read
via "National Vulnerability Database".