π΄ Patching-as-a-Service Offers Benefits, Challenges π΄
π Read
via "Dark Reading".
Organizations without the time or talent to patch may find patching-as-a-service to be a way to improve security.π Read
via "Dark Reading".
Dark Reading
Patching-as-a-Service Offers Benefits, Challenges
Organizations without the time or talent to patch may find patching-as-a-service a way to improve security.
βΌ CVE-2022-41500 βΌ
π Read
via "National Vulnerability Database".
EyouCMS V1.5.9 was discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities via the Members Center, Editorial Membership, and Points Recharge components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42218 βΌ
π Read
via "National Vulnerability Database".
Open Source SACCO Management System v1.0 vulnerable to SQL Injection via /sacco_shield/manage_loan.php.π Read
via "National Vulnerability Database".
βοΈ How Card Skimming Disproportionally Affects Those Most In Need βοΈ
π Read
via "Krebs on Security".
When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almost always made whole by their financial institution. Yet, one class of Americans -- those receiving food assistance benefits via state-issued prepaid debit cards -- are particularly exposed to losses from skimming scams, and usually have little recourse to do anything about it.π Read
via "Krebs on Security".
Krebs on Security
How Card Skimming Disproportionally Affects Those Most In Need
When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almostβ¦
π’ Fortinet reiterates call to mitigate against active zero-day, as customers delay fixes π’
π Read
via "ITPro".
A large number of customers have yet to apply mitigations necessary to avoid the critical vulnerabilityπ Read
via "ITPro".
ITPro
Fortinet reiterates call to mitigate against active zero-day, as customers delay fixes
A large number of customers have yet to apply mitigations necessary to avoid the critical vulnerability
π’ How to use machine learning and AI in cyber security π’
π Read
via "ITPro".
New technologies can augment your security team's response and may even be able to actively deceive attackersπ Read
via "ITPro".
IT PRO
How to use machine learning and AI in cyber security | IT PRO
New technologies can augment your security team's response and may even be able to actively deceive attackers
βΌ CVE-2016-20016 βΌ
π Read
via "National Vulnerability Database".
MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3606 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF. The manipulation leads to null pointer dereference. It is recommended to apply a patch to fix this issue. The identifier VDB-211749 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42466 βΌ
π Read
via "National Vulnerability Database".
Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release, the inputted strings are properly escaped when rendered.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42467 βΌ
π Read
via "National Vulnerability Database".
When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of 2.0.0-M8, this can now be done using the 'isis.prototyping.h2-console.web-allow-remote-access' configuration property; the web console will be unavailable without setting this configuration. As an additional safeguard, the new 'isis.prototyping.h2-console.generate-random-web-admin-password' configuration parameter (enabled by default) requires that the administrator use a randomly generated password to use the console. The password is printed to the log, as "webAdminPass: xxx" (where "xxx") is the password. To revert to the original behaviour, the administrator would therefore need to set these configuration parameter: isis.prototyping.h2-console.web-allow-remote-access=true isis.prototyping.h2-console.generate-random-web-admin-password=false Note also that the h2 webconsole is never available in production mode, so these safeguards are only to ensure that the webconsole is secured by default also in prototype mode.π Read
via "National Vulnerability Database".
βΌ CVE-2016-20017 βΌ
π Read
via "National Vulnerability Database".
D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.π Read
via "National Vulnerability Database".
ποΈ Apache Commons Text RCE: Resemblance to Log4Shell but exposure risk is βmuch lowerβ ποΈ
π Read
via "The Daily Swig".
Log4Shell-like bug is serious but less dangerous than notorious Log4j vulnerabilityπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Apache Commons Text RCE: Resemblance to Log4Shell but exposure risk is βmuch lowerβ
Log4Shell-like bug is serious but less dangerous than notorious Log4j vulnerability
βΌ CVE-2022-25687 βΌ
π Read
via "National Vulnerability Database".
memory corruption in video due to buffer overflow while parsing asf clips in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-33214 βΌ
π Read
via "National Vulnerability Database".
Memory corruption in display due to time-of-check time-of-use of metadata reserved size in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25662 βΌ
π Read
via "National Vulnerability Database".
Information disclosure due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-39233 βΌ
π Read
via "National Vulnerability Database".
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In versions 12.9.99.228 and above, prior to 14.0.99.24, authorizations are not properly verified when updating the branch prefix used by the GitLab repository integration. Authenticated users can change the branch prefix of any of the GitLab repository integration they can see vie the REST endpoint `PATCH /gitlab_repositories/{id}`. This action should be restricted to Git administrators. This issue is patched in Tuleap Community Edition 14.0.99.24 and Tuleap Enterprise Edition 14.0-3. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25660 βΌ
π Read
via "National Vulnerability Database".
Memory corruption due to double free issue in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobileπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25661 βΌ
π Read
via "National Vulnerability Database".
Memory corruption due to untrusted pointer dereference in kernel in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobileπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25749 βΌ
π Read
via "National Vulnerability Database".
Transient Denial-of-Service in WLAN due to buffer over-read while parsing MDNS frames. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networkingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25663 βΌ
π Read
via "National Vulnerability Database".
Possible buffer overflow due to lack of buffer length check during management frame Rx handling lead to denial of service in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivityπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25720 βΌ
π Read
via "National Vulnerability Database".
Memory corruption in WLAN due to out of bound array access during connect/roaming in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearablesπ Read
via "National Vulnerability Database".