‼ CVE-2022-33150 ‼
📖 Read
via "National Vulnerability Database".
An OS command injection vulnerability exists in the js_package install functionality of Robustel R1510 3.1.16. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32574 ‼
📖 Read
via "National Vulnerability Database".
A double-free vulnerability exists in the web interface /action/ipcamSetParamPost functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to memory corruption. An attacker can make an authenticated HTTP request to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35881 ‼
📖 Read
via "National Vulnerability Database".
Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via `errorCode` and `errorDescription` XML tags, as used within the `DoUpdateUPnPbyService` action handler.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3335 ‼
📖 Read
via "National Vulnerability Database".
The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39340 ‼
📖 Read
via "National Vulnerability Database".
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38196 ‼
📖 Read
via "National Vulnerability Database".
Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-42890 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.📖 Read
via "National Vulnerability Database".
🕴 LinkedIn Phishing Spoof Bypasses Google Workspace Security 🕴
📖 Read
via "Dark Reading".
A credential-stealing attack that spoofed LinkedIn and targeted a national travel organization skates past DMARC and other email protections.📖 Read
via "Dark Reading".
Dark Reading
LinkedIn Phishing Spoof Bypasses Google Workspace Security
A credential-stealing attack that spoofed LinkedIn and targeted a national travel organization skates past DMARC and other email protections.
🕴 Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit 🕴
📖 Read
via "Dark Reading".
A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.📖 Read
via "Dark Reading".
Dark Reading
Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit
A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.
👍1
‼ CVE-2022-36452 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36453 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39354 ‼
📖 Read
via "National Vulnerability Database".
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call came from a direct `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27912 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3644 ‼
📖 Read
via "National Vulnerability Database".
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38181 ‼
📖 Read
via "National Vulnerability Database".
An Arm product family through 2022-08-12 mail GPU kernel driver allows non-privileged users to make improper GPU processing operations to gain access to already freed memory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36454 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27913 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36451 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-31468 ‼
📖 Read
via "National Vulnerability Database".
OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38162 ‼
📖 Read
via "National Vulnerability Database".
Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-41711 ‼
📖 Read
via "National Vulnerability Database".
Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.📖 Read
via "National Vulnerability Database".