βΌ CVE-2021-45446 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43255 βΌ
π Read
via "National Vulnerability Database".
GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain a memory leak via the component gf_odf_new_iod at odf/odf_code.c.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43250 βΌ
π Read
via "National Vulnerability Database".
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43238 βΌ
π Read
via "National Vulnerability Database".
Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43243 βΌ
π Read
via "National Vulnerability Database".
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43242 βΌ
π Read
via "National Vulnerability Database".
Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_luma<unsigned char> in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.π Read
via "National Vulnerability Database".
π1
ποΈ Malicious proof-of-concepts are exposing GitHub users to malware and more ποΈ
π Read
via "The Daily Swig".
New research suggests thousands of PoCs could be dangerousπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Malicious proof-of-concepts are exposing GitHub users to malware and more
New research suggests thousands of PoCs could be dangerous
β OpenSSL patches are out β CRITICAL bug downgraded to HIGH, but patch anyway! β
π Read
via "Naked Security".
That bated-breath OpenSSL update is out! It's no longer rated CRITICAL, but we advise you to patch ASAP anyway. Here's why...π Read
via "Naked Security".
Naked Security
OpenSSL patches are out β CRITICAL bug downgraded to HIGH, but patch anyway!
That bated-breath OpenSSL update is out! Itβs no longer rated CRITICAL, but we advise you to patch ASAP anyway. Hereβs whyβ¦
β SHA-3 code execution bug patched in PHP β check your version! β
π Read
via "Naked Security".
As everyone waits for news of a bug in OpenSSL, here's a reminder that other cryptographic code in your life may also need patching!π Read
via "Naked Security".
Naked Security
SHA-3 code execution bug patched in PHP β check your version!
As everyone waits for news of a bug in OpenSSL, hereβs a reminder that other cryptographic code in your life may also need patching!
βΌ CVE-2022-43227 βΌ
π Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/admin/?page=appointments/view_appointment.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39356 βΌ
π Read
via "National Vulnerability Database".
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39353 βΌ
π Read
via "National Vulnerability Database".
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3575 βΌ
π Read
via "National Vulnerability Database".
Frauscher Sensortechnik GmbH FDS102 for FAdC R2 and FAdCi R2 v2.8.0 to v2.9.1 are vulnerable to malicious code upload without authentication by using the configuration upload function. This could lead to a complete compromise of the FDS102 device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39241 βΌ
π Read
via "National Vulnerability Database".
Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41551 βΌ
π Read
via "National Vulnerability Database".
Garage Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /garage/editorder.php.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-39378 βΌ
π Read
via "National Vulnerability Database".
Discourse is a platform for community discussion. Under certain conditions, a user badge may have been awarded based on a user's activity in a topic with restricted access. Before this vulnerability was disclosed, the topic title of the topic associated with the user badge may be viewed by any user. If there are sensitive information in the topic title, it will therefore have been exposed. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. There are currently no known workarounds available.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43226 βΌ
π Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /odlms/?page=appointments/view_appointment.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45448 βΌ
π Read
via "National Vulnerability Database".
Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41716 βΌ
π Read
via "National Vulnerability Database".
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".π Read
via "National Vulnerability Database".
βΌ CVE-2020-36608 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS. Affected by this issue is some unknown functionality of the file admin_organizer.js of the component Error Log Module. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is dfd0afacb26c3682a847bea7b49ea440b63f3baa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-212816.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24936 βΌ
π Read
via "National Vulnerability Database".
Out-of-Bounds error in GBL parser in Silicon Labs Gecko Bootloader version 4.0.1 and earlier allows attacker to overwrite flash Sign key and OTA decryption key via malicious bootloader upgrade.π Read
via "National Vulnerability Database".