βΌ CVE-2022-39340 βΌ
π Read
via "National Vulnerability Database".
OpenFGA is an authorization/permission engine. Prior to version 0.2.4, the `streamed-list-objects` endpoint was not validating the authorization header, resulting in disclosure of objects in the store. Users `openfga/openfga` versions 0.2.3 and prior who are exposing the OpenFGA service to the internet are vulnerable. Version 0.2.4 contains a patch for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38196 βΌ
π Read
via "National Vulnerability Database".
Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-42890 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.π Read
via "National Vulnerability Database".
π΄ LinkedIn Phishing Spoof Bypasses Google Workspace Security π΄
π Read
via "Dark Reading".
A credential-stealing attack that spoofed LinkedIn and targeted a national travel organization skates past DMARC and other email protections.π Read
via "Dark Reading".
Dark Reading
LinkedIn Phishing Spoof Bypasses Google Workspace Security
A credential-stealing attack that spoofed LinkedIn and targeted a national travel organization skates past DMARC and other email protections.
π΄ Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit π΄
π Read
via "Dark Reading".
A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.π Read
via "Dark Reading".
Dark Reading
Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit
A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.
π1
βΌ CVE-2022-36452 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36453 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39354 βΌ
π Read
via "National Vulnerability Database".
SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call came from a direct `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27912 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with publicly enabled debug mode exposed data of previous requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3644 βΌ
π Read
via "National Vulnerability Database".
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38181 βΌ
π Read
via "National Vulnerability Database".
An Arm product family through 2022-08-12 mail GPU kernel driver allows non-privileged users to make improper GPU processing operations to gain access to already freed memory.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36454 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27913 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36451 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31468 βΌ
π Read
via "National Vulnerability Database".
OX App Suite through 8.2 allows XSS via an attachment or OX Drive content when a client uses the len or off parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38162 βΌ
π Read
via "National Vulnerability Database".
Reflected cross-site scripting (XSS) vulnerabilities in WithSecure through 2022-08-10) exists within the F-Secure Policy Manager due to an unvalidated parameter in the endpoint, which allows remote attackers to provide a malicious input.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-41711 βΌ
π Read
via "National Vulnerability Database".
Badaso version 2.6.0 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33185 βΌ
π Read
via "National Vulnerability Database".
Several commands in Brocade Fabric OS before Brocade Fabric OS v.9.0.1e, and v9.1.0 use unsafe string functions to process user input. Authenticated local attackers could abuse these vulnerabilities to exploit stack-based buffer overflows, allowing arbitrary code execution as the root user account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33181 βΌ
π Read
via "National Vulnerability Database".
An information disclosure vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a local authenticated attacker to read sensitive files using switch commands Γ’β¬ΕconfigshowΓ’β¬οΏ½ and Γ’β¬ΕsupportlinkΓ’β¬οΏ½.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33178 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the radius authentication system of Brocade Fabric OS before Brocade Fabric OS 9.0 could allow a remote attacker to execute arbitrary code on the Brocade switch.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33183 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Brocade Fabric OS CLI before Brocade Fabric OS v9.1.0, 9.0.1e, 8.2.3c, 8.2.0cbn5, 7.4.2.j could allow a remote authenticated attacker to perform stack buffer overflow using in Γ’β¬ΕfirmwaredownloadΓ’β¬οΏ½ and Γ’β¬ΕdiagshowΓ’β¬οΏ½ commands.π Read
via "National Vulnerability Database".