‼ CVE-2022-32176 ‼
📖 Read
via "National Vulnerability Database".
In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42029 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3564 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3559 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in Exim and classified as critical. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26375 ‼
📖 Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology AB Press Optimizer plugin <= 1.1.1 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3567 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41751 ‼
📖 Read
via "National Vulnerability Database".
Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.📖 Read
via "National Vulnerability Database".
🕴 Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text 🕴
📖 Read
via "Dark Reading".
There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.📖 Read
via "Dark Reading".
Dark Reading
Researchers Keep a Wary Eye on Critical New Vulnerability in Apache Commons Text
There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.
‼ CVE-2022-3421 ‼
📖 Read
via "National Vulnerability Database".
An attacker can pre-create the `/Applications/Google\ Drive.app/Contents/MacOS` directory which is expected to be owned by root to be owned by a non-root user. When the Drive for Desktop installer is run for the first time, it will place a binary in that directory with execute permissions and set its setuid bit. Since the attacker owns the directory, the attacker can replace the binary with a symlink, causing the installer to set the setuid bit on the symlink. When the symlink is executed, it will run with root permissions. We recommend upgrading past version 64.0📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-3368 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability within the Software Updater functionality of Avira Security for Windows allowed an attacker with write access to the filesystem, to escalate his privileges in certain scenarios. The issue was fixed with Avira Security version 1.1.72.30556.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40605 ‼
📖 Read
via "National Vulnerability Database".
MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38743 ‼
📖 Read
via "National Vulnerability Database".
Rockwell Automation FactoryTalk VantagePoint versions 8.0, 8.10, 8.20, 8.30, 8.31 are vulnerable to an improper access control vulnerability. The FactoryTalk VantagePoint SQL Server account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database. If successfully exploited, this could allow the attacker to execute arbitrary code and gain access to restricted data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42147 ‼
📖 Read
via "National Vulnerability Database".
kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\ Filecontroller.java.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41139 ‼
📖 Read
via "National Vulnerability Database".
MITRE CALDERA 4.1.0 allows stored XSS via app.contact.gist (aka the gist contact configuration field), leading to execution of arbitrary commands on agents.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3382 ‼
📖 Read
via "National Vulnerability Database".
HIWIN Robot System Software version 3.3.21.9869 does not properly address the terminated command source. As a result, an attacker could craft code to disconnect HRSS and the controller and cause a denial-of-service condition.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3517 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42143 ‼
📖 Read
via "National Vulnerability Database".
Open Source SACCO Management System v1.0 is vulnerable to SQL Injection via /sacco_shield/manage_payment.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41431 ‼
📖 Read
via "National Vulnerability Database".
xzs v3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /admin/question/edit. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40606 ‼
📖 Read
via "National Vulnerability Database".
MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40605.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42149 ‼
📖 Read
via "National Vulnerability Database".
kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3552 ‼
📖 Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type in GitHub repository boxbilling/boxbilling prior to 0.0.1.📖 Read
via "National Vulnerability Database".