βΌ CVE-2022-3354 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in Open5GS up to 2.4.10 and classified as problematic. This vulnerability affects unknown code in the library lib/core/ogs-tlv-msg.c of the component UDP Packet Handler. The manipulation leads to denial of service. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-209686 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35722 βΌ
π Read
via "National Vulnerability Database".
IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231381.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35282 βΌ
π Read
via "National Vulnerability Database".
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker with local network access could exploit this vulnerability to obtain sensitive data.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41434 βΌ
π Read
via "National Vulnerability Database".
A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application that allows for arbitrary execution of JavaScript commands through index.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22387 βΌ
π Read
via "National Vulnerability Database".
IBM Application Gateway is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 221965.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38934 βΌ
π Read
via "National Vulnerability Database".
readelf in ToaruOS 2.0.1 has some arbitrary address read vulnerabilities when parsing a crafted ELF file.π Read
via "National Vulnerability Database".
π΄ Phishing Attacks Crushed Records Last Quarter, Driven by Mobile π΄
π Read
via "Dark Reading".
Shocking phishing numbers (more than 1 million in a single quarter) are being driven by vishing, smishing, and other lures that target mobile devices.π Read
via "Dark Reading".
Dark Reading
Phishing Attacks Crushed Records Last Quarter, Driven by Mobile
Shocking phishing numbers (more than 1 million in a single quarter) are being driven by vishing, smishing, and other lures that target mobile devices.
π΄ Google Cloud DORA: Securing the Supply Chain Begins With Culture π΄
π Read
via "Dark Reading".
The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.π Read
via "Dark Reading".
Dark Reading
Google Cloud DORA: Securing the Supply Chain Begins With Culture
The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.
βΌ CVE-2022-40929 βΌ
π Read
via "National Vulnerability Database".
XXL-JOB 2.2.0 has a Command execution vulnerability in background tasks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3193 βΌ
π Read
via "National Vulnerability Database".
An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.π Read
via "National Vulnerability Database".
π΄ Container Supply Chain Attacks Cash In on Cryptojacking π΄
π Read
via "Dark Reading".
Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.π Read
via "Dark Reading".
Dark Reading
Container Supply Chain Attacks Cash In on Cryptojacking
Cloud-native threats are costing cloud customer victims money as cryptojackers mine their vulnerable cloud instances.
π΄ Fast Company CMS Hack Raises Security Questions π΄
π Read
via "Dark Reading".
The company's website remains offline after hackers used its compromised CMS to send out racist messages.π Read
via "Dark Reading".
Dark Reading
Fast Company CMS Hack Raises Security Questions
The company's website remains offline after hackers used its compromised CMS to send out racist messages.
π΄ Sophisticated Covert Cyberattack Campaign Targets Military Contractors π΄
π Read
via "Dark Reading".
Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.π Read
via "Dark Reading".
Dark Reading
Sophisticated Covert Cyberattack Campaign Targets Military Contractors
Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.
π΄ Google Quashes 5 High-Severity Bugs With Chrome 106 Update π΄
π Read
via "Dark Reading".
External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.π Read
via "Dark Reading".
Dark Reading
Google Quashes 5 High-Severity Bugs With Chrome 106 Update
External researchers contributed 16 of the 20 security updates included in the new Chrome 106 Stable Channel rollout, including five high-severity bugs.
π΄ Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack π΄
π Read
via "Dark Reading".
The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business canβt avoid to pay, make sure youβve got a strong data loss prevention practice in place.π Read
via "Dark Reading".
Dark Reading
Plug Your Data Leaks: Integrating Data Loss Prevention into Your Security Stack
The average cost of a data-exposing cybersecurity incident is $4.35 million. If your business canβt avoid to pay, make sure youβve got a strong data loss prevention practice in place.
βΌ CVE-2022-3215 βΌ
π Read
via "National Vulnerability Database".
NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and "inject" those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws. This issue was resolved by adding validation to the HTTPHeaders type, ensuring that there's no whitespace incorrectly present in the HTTP headers provided by users. As the existing API surface is non-failable, all invalid characters are replaced by linear whitespace.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1270 βΌ
π Read
via "National Vulnerability Database".
In GraphicsMagick, a heap buffer overflow was found when parsing MIFF.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39246 βΌ
π Read
via "National Vulnerability Database".
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the key forwarding strategy implemented in the matrix-android-sdk2 that is too permissive. Starting with version 1.5.1, the default policy for accepting key forwards has been made more strict in the matrix-android-sdk2. The matrix-android-sdk2 will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately (for example, by showing a warning for such messages). As a workaroubnd, current users of the SDK can disable key forwarding in their forks using `CryptoService#enableKeyGossiping(enable: Boolean)`.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3292 βΌ
π Read
via "National Vulnerability Database".
Use of Cache Containing Sensitive Information in GitHub repository ikus060/rdiffweb prior to 2.4.8.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39249 βΌ
π Read
via "National Vulnerability Database".
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34424 βΌ
π Read
via "National Vulnerability Database".
Networking OS10, versions 10.5.1.x, 10.5.2.x, and 10.5.3.x contain a vulnerability that could allow an attacker to cause a system crash by running particular security scans.π Read
via "National Vulnerability Database".