βΌ CVE-2022-43103 βΌ
π Read
via "National Vulnerability Database".
Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the list parameter in the formSetQosBand function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43109 βΌ
π Read
via "National Vulnerability Database".
D-Link DIR-823G v1.0.2 was found to contain a command injection vulnerability in the function SetNetworkTomographySettings. This vulnerability allows attackers to execute arbitrary commands via a crafted packet.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43104 βΌ
π Read
via "National Vulnerability Database".
Tenda AC23 V16.03.07.45_cn was discovered to contain a stack overflow via the wpapsk_crypto parameter in the fromSetWirelessRepeat function.π Read
via "National Vulnerability Database".
β S3 Ep107: Eight months to kick out the crooks and you think thatβs GOOD? [Audio + Text] β
π Read
via "Naked Security".
Listen now - latest episode - audio plus full transcriptπ Read
via "Naked Security".
Naked Security
S3 Ep107: Eight months to kick out the crooks and you think thatβs GOOD? [Audio + Text]
Listen now β latest episode β audio plus full transcript
π1
βΌ CVE-2022-42753 βΌ
π Read
via "National Vulnerability Database".
SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3258 βΌ
π Read
via "National Vulnerability Database".
Incorrect Permission Assignment for Critical Resource vulnerability in HYPR Workforce Access on Windows allows Authentication Abuse.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3852 βΌ
π Read
via "National Vulnerability Database".
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43372 βΌ
π Read
via "National Vulnerability Database".
Emlog Pro v1.7.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /admin/store.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42750 βΌ
π Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3675 βΌ
π Read
via "National Vulnerability Database".
Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42751 βΌ
π Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to elevate privileges in the application. This is possible because the application suffers from CSRF. This allows to persuade an administrator to create a new account with administrative permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40131 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in a3rev Software Page View Count plugin <= 2.5.5 on WordPress allows an attacker to reset the plugin settings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36404 βΌ
π Read
via "National Vulnerability Database".
Auth. (subscriber+) Broken Access Control vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemap.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40276 βΌ
π Read
via "National Vulnerability Database".
Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43061 βΌ
π Read
via "National Vulnerability Database".
Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /operations/travellers.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41713 βΌ
π Read
via "National Vulnerability Database".
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44862 βΌ
π Read
via "National Vulnerability Database".
Netskope client is impacted by a vulnerability where an authenticated, local attacker can view sensitive information stored in NSClient logs which should be restricted. The vulnerability exists because the sensitive information is not masked/scrubbed before writing in the logs. A malicious user can use the sensitive information to download data and impersonate another user.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42745 βΌ
π Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42743 βΌ
π Read
via "National Vulnerability Database".
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44628 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in JumpDEMAND Inc. 4ECPS Web Forms plugin <= 0.2.17 on WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44627 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemaps.π Read
via "National Vulnerability Database".