‼ CVE-2022-42991 ‼
📖 Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) vulnerability in Simple Online Public Access Catalog v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Account Full Name field.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38744 ‼
📖 Read
via "National Vulnerability Database".
An unauthenticated attacker with network access to a victim's Rockwell Automation FactoryTalk Alarm and Events service could open a connection, causing the service to fault and become unavailable. The affected port could be used as a server ping port and uses messages structured with XML.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39364 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42993 ‼
📖 Read
via "National Vulnerability Database".
Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39329 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39365 ‼
📖 Read
via "National Vulnerability Database".
Pimcore is an open source data and experience management platform. Prior to version 10.5.9, the user controlled twig templates rendering in `Pimcore/Mail` & `ClassDefinition\Layout\Text` is vulnerable to server-side template injection, which could lead to remote code execution. Version 10.5.9 contains a patch for this issue. As a workaround, one may apply the patch manually.📖 Read
via "National Vulnerability Database".
âš S3 Ep106: Facial recognition without consent – should it be banned? âš
📖 Read
via "Naked Security".
Latest episode - listen (or read) now. Teachable moments for X-Ops professionals!📖 Read
via "Naked Security".
Naked Security
S3 Ep106: Facial recognition without consent – should it be banned?
Latest episode – listen (or read) now. Teachable moments for X-Ops professionals!
‼ CVE-2022-40184 ‼
📖 Read
via "National Vulnerability Database".
Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24670 ‼
📖 Read
via "National Vulnerability Database".
An attacker can use the unrestricted LDAP queries to determine configuration entries📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41996 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3725 ‼
📖 Read
via "National Vulnerability Database".
Crash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3095 ‼
📖 Read
via "National Vulnerability Database".
The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40183 ‼
📖 Read
via "National Vulnerability Database".
An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24669 ‼
📖 Read
via "National Vulnerability Database".
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39978 ‼
📖 Read
via "National Vulnerability Database".
Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0072 ‼
📖 Read
via "National Vulnerability Database".
Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41555 ‼
📖 Read
via "National Vulnerability Database".
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutLineMessageSetting API.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3385 ‼
📖 Read
via "National Vulnerability Database".
Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can remotely overflow the stack buffer and enable remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41773 ‼
📖 Read
via "National Vulnerability Database".
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckDIACloud. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41701 ‼
📖 Read
via "National Vulnerability Database".
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutShift API.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0074 ‼
📖 Read
via "National Vulnerability Database".
Untrusted Search Path vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Container allows Privilege Escalation. This affects versions from 1.6.15 before 1.7.16.1.📖 Read
via "National Vulnerability Database".