β Zoom for Mac patches sneaky βspy-on-meβ bug β update now! β
π Read
via "Naked Security".
Hey! That back door isn't supposed to be there at all, let alone propped open...π Read
via "Naked Security".
Naked Security
Zoom for Mac patches sneaky βspy-on-meβ bug β update now!
Hey! That back door isnβt supposed to be there at all, let alone propped openβ¦
π1
βΌ CVE-2020-15853 βΌ
π Read
via "National Vulnerability Database".
supybot-fedora implements the command 'refresh', that refreshes the cache of all users from FAS. This takes quite a while to run, and zodbot stops responding to requests during this time.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41547 βΌ
π Read
via "National Vulnerability Database".
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33874 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in SSH login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-41544 βΌ
π Read
via "National Vulnerability Database".
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41537 βΌ
π Read
via "National Vulnerability Database".
Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /user_operations/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41540 βΌ
π Read
via "National Vulnerability Database".
The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43260 βΌ
π Read
via "National Vulnerability Database".
Tenda AC18 V15.03.05.19(6318) was discovered to contain a stack overflow via the time parameter in the fromSetSysTime function.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-35846 βΌ
π Read
via "National Vulnerability Database".
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiTester Telnet port 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to guess the credentials of an admin user via a brute force attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40684 βΌ
π Read
via "National Vulnerability Database".
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33872 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in Telnet login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated remote attacker to execute arbitrary command in the underlying shell.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41541 βΌ
π Read
via "National Vulnerability Database".
TP-Link AX10v1 V1_211117 allows attackers to execute a replay attack by using a previously transmitted encrypted authentication message and valid authentication token. Attackers are able to login to the web application as an admin user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33873 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in Console login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to execute arbitrary command in the underlying shell.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41479 βΌ
π Read
via "National Vulnerability Database".
The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35844 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to commands of the certificate import feature.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29055 βΌ
π Read
via "National Vulnerability Database".
A access of uninitialized pointer in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.x, FortiProxy version 7.0.0 through 7.0.4, 2.0.0 through 2.0.9, 1.2.x allows a remote unauthenticated or authenticated attacker to crash the sslvpn daemon via an HTTP GET request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43259 βΌ
π Read
via "National Vulnerability Database".
Tenda AC15 V15.03.05.18 was discovered to contain a stack overflow via the timeZone parameter in the form_fast_setting_wifi_set function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41504 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in the component /php_action/editProductImage.php of Billing System Project v1.0 allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
β Dangerous hole in Apache Commons Text β like Log4Shell all over again β
π Read
via "Naked Security".
Third time unlucky. Time to put your patching boots on again...π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Treat Essential Security Certificates as Valuable Assets π΄
π Read
via "Dark Reading".
Manage the company's often-overlooked security certificates as the valuable assets they are, essential for security hygiene and to prevent issues.π Read
via "Dark Reading".
Dark Reading
Treat Essential Security Certificates as Valuable Assets
Manage the company's often-overlooked security certificates as the valuable assets they are, essential for security hygiene and to prevent issues.
π΄ German Cybersecurity Boss Sacked Over Kremlin Connection π΄
π Read
via "Dark Reading".
Head of German national cybersecurity agency was fired over ties to a member of Russian intelligence once honored by Vladimir Putin.π Read
via "Dark Reading".
Dark Reading
German Cybersecurity Boss Sacked Over Kremlin Connection
Head of German national cybersecurity agency was fired over ties to a member of Russian intelligence once honored by Vladimir Putin.