‼ CVE-2022-39257 ‼
📖 Read
via "National Vulnerability Database".
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-ios-sdk implementing a too permissive key forwarding strategy. The default policy for accepting key forwards has been made more strict in the matrix-ios-sdk version 0.23.19. matrix-ios-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately (for example, by showing a warning for such messages). This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40709 ‼
📖 Read
via "National Vulnerability Database".
An Out-of-bounds read vulnerability in Trend Micro Deep Security 20 and Cloud One - Workload Security Agent for Windows could allow a local attacker to disclose sensitive information on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit these vulnerabilities. This vulnerability is similar to, but not identical to CVE-2022-40707 and 40708.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39248 ‼
📖 Read
via "National Vulnerability Database".
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. matrix-android-sdk2 would then additionally sign such a key backup with its device key, spilling trust over to other devices trusting the matrix-android-sdk2 device. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-android-sdk2 version 1.5.1 has been modified to only accept Olm-encrypted to-device messages and to stop signing backups on a successful decryption. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.📖 Read
via "National Vulnerability Database".
🕴 Fake Accounts Are Not Your Friends! 🕴
📖 Read
via "Dark Reading".
Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.📖 Read
via "Dark Reading".
Darkreading
Fake Accounts Are Not Your Friends!
Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.
‼ CVE-2022-31628 ‼
📖 Read
via "National Vulnerability Database".
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39264 ‼
📖 Read
via "National Vulnerability Database".
nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31629 ‼
📖 Read
via "National Vulnerability Database".
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20308 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20247 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42048 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20325 ‼
📖 Read
via "National Vulnerability Database".
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15338 ‼
📖 Read
via "National Vulnerability Database".
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request Method With Sensitive Query Strings" issue for /cnr requests.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2019-20318 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2016-2338 ‼
📖 Read
via "National Vulnerability Database".
An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15332 ‼
📖 Read
via "National Vulnerability Database".
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20314 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20292 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during the year 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1718 ‼
📖 Read
via "National Vulnerability Database".
The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in GitHub repository polonel/trudesk prior to 1.2.2. This can lead to Denial of service.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2019-20317 ‼
📖 Read
via "National Vulnerability Database".
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20282 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40695 ‼
📖 Read
via "National Vulnerability Database".
It was possible for a student to view their quiz grade before it had been released, using a quiz web service.📖 Read
via "National Vulnerability Database".