βΌ CVE-2022-39419 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java VM accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).π Read
via "National Vulnerability Database".
βΌ CVE-2022-39411 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: Business Process Automation). Supported versions that are affected are 6.4.3 and 6.5.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Transportation Management accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).π Read
via "National Vulnerability Database".
βΌ CVE-2022-39421 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows systems only. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).π Read
via "National Vulnerability Database".
βΌ CVE-2022-39409 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: Business Process Automation). Supported versions that are affected are 6.4.3 and 6.5.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Transportation Management. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).π Read
via "National Vulnerability Database".
βΌ CVE-2022-39404 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the MySQL Installer product of Oracle MySQL (component: Installer: General). Supported versions that are affected are 1.6.3 and prior. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Installer executes to compromise MySQL Installer. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Installer accessible data as well as unauthorized read access to a subset of MySQL Installer accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Installer. CVSS 3.1 Base Score 4.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L).π Read
via "National Vulnerability Database".
βΌ CVE-2022-39428 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).π Read
via "National Vulnerability Database".
π΄ Patching-as-a-Service Offers Benefits, Challenges π΄
π Read
via "Dark Reading".
Organizations without the time or talent to patch may find patching-as-a-service to be a way to improve security.π Read
via "Dark Reading".
Dark Reading
Patching-as-a-Service Offers Benefits, Challenges
Organizations without the time or talent to patch may find patching-as-a-service a way to improve security.
βΌ CVE-2022-41500 βΌ
π Read
via "National Vulnerability Database".
EyouCMS V1.5.9 was discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities via the Members Center, Editorial Membership, and Points Recharge components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42218 βΌ
π Read
via "National Vulnerability Database".
Open Source SACCO Management System v1.0 vulnerable to SQL Injection via /sacco_shield/manage_loan.php.π Read
via "National Vulnerability Database".
βοΈ How Card Skimming Disproportionally Affects Those Most In Need βοΈ
π Read
via "Krebs on Security".
When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almost always made whole by their financial institution. Yet, one class of Americans -- those receiving food assistance benefits via state-issued prepaid debit cards -- are particularly exposed to losses from skimming scams, and usually have little recourse to do anything about it.π Read
via "Krebs on Security".
Krebs on Security
How Card Skimming Disproportionally Affects Those Most In Need
When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almostβ¦
π’ Fortinet reiterates call to mitigate against active zero-day, as customers delay fixes π’
π Read
via "ITPro".
A large number of customers have yet to apply mitigations necessary to avoid the critical vulnerabilityπ Read
via "ITPro".
ITPro
Fortinet reiterates call to mitigate against active zero-day, as customers delay fixes
A large number of customers have yet to apply mitigations necessary to avoid the critical vulnerability
π’ How to use machine learning and AI in cyber security π’
π Read
via "ITPro".
New technologies can augment your security team's response and may even be able to actively deceive attackersπ Read
via "ITPro".
IT PRO
How to use machine learning and AI in cyber security | IT PRO
New technologies can augment your security team's response and may even be able to actively deceive attackers
βΌ CVE-2016-20016 βΌ
π Read
via "National Vulnerability Database".
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3606 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42466 βΌ
π Read
via "National Vulnerability Database".
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42467 βΌ
π Read
via "National Vulnerability Database".
When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of 2.0.0-M8, this can now be done using the 'isis.prototyping.h2-console.web-allow-remote-access' configuration property; the web console will be unavailable without setting this configuration. As an additional safeguard, the new 'isis.prototyping.h2-console.generate-random-web-admin-password' configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. The password is printed to the log, as "webAdminPass: xxx" (where "xxx") is the password. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: isis.prototyping.h2-console.web-allow-remote-access=true isis.prototyping.h2-console.generate-random-web-admin-password=false Note also that the h2 webconsole is never available in production mode, so these safeguards are only to ensure that the webconsole is secured by default also in prototype mode.π Read
via "National Vulnerability Database".
βΌ CVE-2016-20017 βΌ
π Read
via "National Vulnerability Database".
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.π Read
via "National Vulnerability Database".
ποΈ Apache Commons Text RCE: Resemblance to Log4Shell but exposure risk is βmuch lowerβ ποΈ
π Read
via "The Daily Swig".
Log4Shell-like bug is serious but less dangerous than notorious Log4j vulnerabilityπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Apache Commons Text RCE: Resemblance to Log4Shell but exposure risk is βmuch lowerβ
Log4Shell-like bug is serious but less dangerous than notorious Log4j vulnerability
βΌ CVE-2022-25687 βΌ
π Read
via "National Vulnerability Database".
memory corruption in video due to buffer overflow while parsing asf clips in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-33214 βΌ
π Read
via "National Vulnerability Database".
Memory corruption in display due to time-of-check time-of-use of metadata reserved size in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25662 βΌ
π Read
via "National Vulnerability Database".
Information disclosure due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearablesπ Read
via "National Vulnerability Database".