‼ CVE-2022-40276 ‼
📖 Read
via "National Vulnerability Database".
Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43061 ‼
📖 Read
via "National Vulnerability Database".
Online Tours & Travels Management System v1.0 was discovered to contain an arbitrary file upload vulnerability in the component /operations/travellers.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41713 ‼
📖 Read
via "National Vulnerability Database".
deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the '__proto__' property to be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44862 ‼
📖 Read
via "National Vulnerability Database".
Netskope client is impacted by a vulnerability where an authenticated, local attacker can view sensitive information stored in NSClient logs which should be restricted. The vulnerability exists because the sensitive information is not masked/scrubbed before writing in the logs. A malicious user can use the sensitive information to download data and impersonate another user.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42745 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 allows an external attacker to read arbitrary files from the server. This is possible because the application is vulnerable to XXE.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42743 ‼
📖 Read
via "National Vulnerability Database".
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44628 ‼
📖 Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in JumpDEMAND Inc. 4ECPS Web Forms plugin <= 0.2.17 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44627 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO plugin <= 1.8.12 on WordPress allows attackers to create or delete sitemaps.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43063 ‼
📖 Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Users.php?f=delete_client.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43574 ‼
📖 Read
via "National Vulnerability Database".
"IBM Robotic Process Automation 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to incorrect permission assignment which could allow access to application configurations. IBM X-Force ID: 238679."📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43495 ‼
📖 Read
via "National Vulnerability Database".
OpenHarmony-v3.1.2 and prior versions had a DOS vulnerability in distributedhardware_device_manager when joining a network. Network attakcers can send an abonormal packet when joining a network, cause a nullptr reference and device reboot.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41714 ‼
📖 Read
via "National Vulnerability Database".
fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the '__proto__' property to be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42746 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43062 ‼
📖 Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_appointment.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42748 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42749 ‼
📖 Read
via "National Vulnerability Database".
CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43449 ‼
📖 Read
via "National Vulnerability Database".
OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43451 ‼
📖 Read
via "National Vulnerability Database".
OpenHarmony-v3.1.2 and prior versions had an Multiple path traversal vulnerability in appspawn and nwebspawn services. Local attackers can create arbitrary directories or escape application sandbox.If chained with other vulnerabilities it would allow an unprivileged process to gain full root privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41666 ‼
📖 Read
via "National Vulnerability Database".
A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44724 ‼
📖 Read
via "National Vulnerability Database".
The Handy Tip macro in Stiltsoft Handy Macros for Confluence Server/Data Center 3.x before 3.5.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.📖 Read
via "National Vulnerability Database".
👍1
🗓️ Boffins rekindle one-time program cryptographic concept 🗓️
📖 Read
via "The Daily Swig".
Authentication idea advanced but not yet fulfilled📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Boffins rekindle one-time program cryptographic concept
Authentication idea advanced but not yet fulfilled