‼ CVE-2022-3351 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webhooks.📖 Read
via "National Vulnerability Database".
🕴 The Risk of Stateful Antipatterns in Enterprise Internet Architecture 🕴
📖 Read
via "Dark Reading".
Excessive statefulness hurts the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting an entire service delivery chain's ability to withstand a DDoS attack.📖 Read
via "Dark Reading".
Dark Reading
The Risk of Stateful Anti-Patterns in Enterprise Internet Architecture
Excessive statefulness hurts the ability to scale networks, applications, and ancillary supporting infrastructure, thus affecting an entire service delivery chain's ability to withstand a DDoS attack.
‼ CVE-2022-3566 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40055 ‼
📖 Read
via "National Vulnerability Database".
An issue in GX Group GPON ONT Titanium 2122A T2122-V1.26EXL allows attackers to escalate privileges via a brute force attack at the login page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3563 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this issue. VDB-211086 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3565 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32176 ‼
📖 Read
via "National Vulnerability Database".
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42029 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3564 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3559 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in Exim and classified as critical. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26375 ‼
📖 Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology AB Press Optimizer plugin <= 1.1.1 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3567 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41751 ‼
📖 Read
via "National Vulnerability Database".
Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.📖 Read
via "National Vulnerability Database".
🕴 Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text 🕴
📖 Read
via "Dark Reading".
There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.📖 Read
via "Dark Reading".
Dark Reading
Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text
There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.
‼ CVE-2022-3421 ‼
📖 Read
via "National Vulnerability Database".
An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-3368 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40605 ‼
📖 Read
via "National Vulnerability Database".
MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38743 ‼
📖 Read
via "National Vulnerability Database".
Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an improper access control vulnerability. The FactoryTalk VantagePoint SQL Server account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database. If successfully exploited, this could allow the attacker to execute arbitrary code and gain access to restricted data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42147 ‼
📖 Read
via "National Vulnerability Database".
kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\ Filecontroller.java.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41139 ‼
📖 Read
via "National Vulnerability Database".
MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3382 ‼
📖 Read
via "National Vulnerability Database".
HIWIN Robot System Software version 3.3.21.9869 does not properly address the terminated command source. As a result, an attacker could craft code to disconnect HRSS and the controller and cause a denial-of-service condition.📖 Read
via "National Vulnerability Database".