โผ CVE-2022-42902 โผ
๐ Read
via "National Vulnerability Database".
In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-3471 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Human Resource Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file city.php. The manipulation of the argument searccity leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-210715.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-34020 โผ
๐ Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability in ResIOT ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 allows attackers to add new admin users to the platform or other unspecified impacts.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-42897 โผ
๐ Read
via "National Vulnerability Database".
Array Networks AG/vxAG with ArrayOS AG before 9.4.0.469 allows unauthenticated command injection that leads to privilege escalation and control of the system. NOTE: ArrayOS AG 10.x is unaffected.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-2828 โผ
๐ Read
via "National Vulnerability Database".
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability๐ Read
via "National Vulnerability Database".
โผ CVE-2021-20030 โผ
๐ Read
via "National Vulnerability Database".
SonicWall GMS is vulnerable to file path manipulation resulting that an unauthenticated attacker can gain access to web directory containing application's binaries and configuration files.๐ Read
via "National Vulnerability Database".
๐ด What the Uber Breach Verdict Means for CISOs in the US ๐ด
๐ Read
via "Dark Reading".
Can already beleaguered CISOs now add possible legal charges to their smorgasbord of job considerations? Disclose a breach to comply and face dismissal, or cover it up and face personal punishment.๐ Read
via "Dark Reading".
Dark Reading
What the Uber Breach Verdict Means for CISOs in the US
Can already beleaguered CISOs now add possible legal charges to their smorgasbord of job considerations? Disclose a breach to comply and face dismissal, or cover it up and face personal punishment.
โผ CVE-2022-38902 โผ
๐ Read
via "National Vulnerability Database".
A Cross-site scripting (XSS) vulnerability in the Blog module - add new topic functionality in Liferay Digital Experience Platform 7.3.10 SP3 allows remote attackers to inject arbitrary JS script or HTML into the name field of newly created topic.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-24697 โผ
๐ Read
via "National Vulnerability Database".
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of รยขรขโยฌร
โ-- conf=รยขรขโยฌ? to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-37208 (jfinal_cms) โผ
๐ Read
via "National Vulnerability Database".
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-42889 โผ
๐ Read
via "National Vulnerability Database".
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-35080 โผ
๐ Read
via "National Vulnerability Database".
SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via png_load at /lib/png.c.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-35081 โผ
๐ Read
via "National Vulnerability Database".
SWFTools commit 772e55a2 was discovered to contain a heap-buffer overflow via png_read_header at /src/png2swf.c.๐ Read
via "National Vulnerability Database".
๐๏ธ GitLab patches RCE bug in GitHub import function ๐๏ธ
๐ Read
via "The Daily Swig".
Data importation mechanism failed to sanitize imports๐ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GitLab patches RCE bug in GitHub import function
Data importation mechanism failed to sanitize imports
๐ด Attackers Use Automation to Speed from Exploit to Compromise According to Lacework Labs Cloud Threat Report ๐ด
๐ Read
via "Dark Reading".
New open source Cloud Hunter tool, developed through Lacework Labs research, helps customers get better visibility to reduce response times for incident investigations.๐ Read
via "Dark Reading".
Dark Reading
Attackers Use Automation to Speed from Exploit to Compromise According to Lacework Labs Cloud Threat Report
New open source Cloud Hunter tool, developed through Lacework Labs research, helps customers get better visibility to reduce response times for incident investigations.
๐ด State of Security Data Management 2022 Report Reveals Overconfidence Masks a Pervasive Data Problem ๐ด
๐ Read
via "Dark Reading".
Despite dozens of tools and external vendors, 2 in 3 organizations believe their data strategy isn't sustainable beyond three years, which could leave businesses vulnerable.๐ Read
via "Dark Reading".
Dark Reading
State of Security Data Management 2022 Report Reveals Overconfidence Masks a Pervasive Data Problem
Despite dozens of tools and external vendors, 2 in 3 organizations believe their data strategy isn't sustainable beyond three years, which could leave businesses vulnerable.
โผ CVE-2022-41475 โผ
๐ Read
via "National Vulnerability Database".
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add an administrator account.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-41473 โผ
๐ Read
via "National Vulnerability Database".
RPCMS v3.0.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Search function.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-41474 โผ
๐ Read
via "National Vulnerability Database".
RPCMS v3.0.2 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily change the password of any account.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-41489 โผ
๐ Read
via "National Vulnerability Database".
WAYOS LQ_09 22.03.17V was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to send crafted requests to the server from the affected device. This vulnerability is exploitable due to a lack of authentication in the component Usb_upload.htm.๐ Read
via "National Vulnerability Database".
โ Patch Tuesday in brief โ one 0-day fixed, but no patches for Exchange! โ
๐ Read
via "Naked Security".
There's a zero-day patch, but it's not for the zero-day you thought.๐ Read
via "Naked Security".
Sophos News
Naked Security โ Sophos News