β Move over Patch Tuesday β itβs Ada Lovelace Day! β
π Read
via "Naked Security".
Hacking on actual computers is one thing, but hacking purposefully on imaginary computers is, these days, something we can only imagine.π Read
via "Naked Security".
Naked Security
Move over Patch Tuesday β itβs Ada Lovelace Day!
Hacking on actual computers is one thing, but hacking purposefully on imaginary computers is, these days, something we can only imagine.
π΄ Skybox Security Unveils Industry's First SaaS Solution For Security Policy and Vulnerability Management Across Hybrid Environments π΄
π Read
via "Dark Reading".
Skybox Security Cloud Edition ushers in a new era of proactive cybersecurity .π Read
via "Dark Reading".
Dark Reading
Skybox Security Unveils Industry's First SaaS Solution For Security Policy and Vulnerability Management Across Hybrid Environments
Skybox Security Cloud Edition ushers in a new era of proactive cybersecurity .
βΌ CVE-2022-32174 βΌ
π Read
via "National Vulnerability Database".
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39271 βΌ
π Read
via "National Vulnerability Database".
Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. There has been a patch released in versions 2.8.8 and 2.9.0-rc5. There are currently no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3358 βΌ
π Read
via "National Vulnerability Database".
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).π Read
via "National Vulnerability Database".
βΌ CVE-2022-32175 βΌ
π Read
via "National Vulnerability Database".
In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42731 βΌ
π Read
via "National Vulnerability Database".
mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.π Read
via "National Vulnerability Database".
π OpenSSL Toolkit 1.1.1r π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 1.1.1r β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π OpenSSL Toolkit 3.0.6 π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide. The 3.x series is the current major version of OpenSSL.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 3.0.6 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π American Fuzzy Lop plus plus 4.04c π
π Read
via "Packet Storm Security".
Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.π Read
via "Packet Storm Security".
Packetstormsecurity
American Fuzzy Lop plus plus 4.04c β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π΄ It's Time to Make Security an Innovation Enabler π΄
π Read
via "Dark Reading".
How data-driven security can best safeguard your unique cloud operations.π Read
via "Dark Reading".
Dark Reading
It's Time to Make Security an Innovation Enabler
How data-driven security can best safeguard your unique cloud operations.
βΌ CVE-2022-34431 βΌ
π Read
via "National Vulnerability Database".
Dell Hybrid Client below 1.8 version contains a guest user profile corruption vulnerability. A WMS privilege attacker could potentially exploit this vulnerability, leading to DHC system not being accessible.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32486 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34434 βΌ
π Read
via "National Vulnerability Database".
Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33978 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability FontMeister plugin <= 1.08 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34430 βΌ
π Read
via "National Vulnerability Database".
Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38388 βΌ
π Read
via "National Vulnerability Database".
IBM Navigator Mobile Android 3.4.1.1 and 3.4.1.2 app could allow a local user to obtain sensitive information due to improper access control. IBM X-Force ID: 233968.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34432 βΌ
π Read
via "National Vulnerability Database".
Dell Hybrid Client below 1.8 version contains a gedit vulnerability. A guest attacker could potentially exploit this vulnerability, allowing deletion of user and some system files and folders.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32492 βΌ
π Read
via "National Vulnerability Database".
Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41376 βΌ
π Read
via "National Vulnerability Database".
Metro UI v4.4.0 to v4.5.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34426 βΌ
π Read
via "National Vulnerability Database".
Dell Container Storage Modules 1.2 contains an Improper Limitation of a Pathname to a Restricted Directory in goiscsi and gobrick libraries which could lead to OS command injection. A remote unauthenticated attacker could exploit this vulnerability leading to unintentional access to path outside of restricted directory.π Read
via "National Vulnerability Database".