βΌ CVE-2022-20446 βΌ
π Read
via "National Vulnerability Database".
In AlwaysOnHotwordDetector of AlwaysOnHotwordDetector.java, there is a possible way to access the microphone from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-229793943π Read
via "National Vulnerability Database".
βΌ CVE-2022-41207 βΌ
π Read
via "National Vulnerability Database".
SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL. When clicked by an unsuspecting victim, it will use an unsensitized parameter to redirect the victim to a malicious site of the attacker's choosing which can result in disclosure or modification of the victim's information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41258 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient input validation, SAP Financial Consolidation - version 1010, allows an authenticated attacker to inject malicious script when running a common query in the Web Administration Console. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality, integrity and availability of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20447 βΌ
π Read
via "National Vulnerability Database".
In PAN_WriteBuf of pan_api.cc, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-233604485π Read
via "National Vulnerability Database".
βΌ CVE-2022-41205 βΌ
π Read
via "National Vulnerability Database".
SAP GUI allows an authenticated attacker to execute scripts in the local network. On successful exploitation, the attacker can gain access to registries which can cause a limited impact on confidentiality and high impact on availability of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34823 βΌ
π Read
via "National Vulnerability Database".
Buffer overflow vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41211 βΌ
π Read
via "National Vulnerability Database".
Due to lack of proper memory management, when a victim opens manipulated file received from untrusted sources in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer, Arbitrary Code Execution can be triggered when payload forces:Re-use of dangling pointer which refers to overwritten space in memory. The accessed memory must be filled with code to execute the attack. Therefore, repeated success is unlikely.Stack-based buffer overflow. Since the memory overwritten is random, based on access rights of the memory, repeated success is not assured.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32602 βΌ
π Read
via "National Vulnerability Database".
In keyinstall, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07388790; Issue ID: ALPS07388790.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41212 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-20448 βΌ
π Read
via "National Vulnerability Database".
In buzzBeepBlinkLocked of NotificationManagerService.java, there is a possible way to share data across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-237540408π Read
via "National Vulnerability Database".
βΌ CVE-2022-41259 βΌ
π Read
via "National Vulnerability Database".
SAP SQL Anywhere - version 17.0, allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use an ARRAY constructor.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41215 βΌ
π Read
via "National Vulnerability Database".
SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient URL validation. This could lead to the user being tricked to disclose personal information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41260 βΌ
π Read
via "National Vulnerability Database".
SAP Financial Consolidation - version 1010, does not sufficiently encode user-controlled input which may allow an unauthenticated attacker to inject a web script via a GET request. On successful exploitation, an attacker can view or modify information causing a limited impact on confidentiality and integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41203 βΌ
π Read
via "National Vulnerability Database".
In some workflow of SAP BusinessObjects BI Platform (Central Management Console and BI LaunchPad), an authenticated attacker with low privileges can intercept a serialized object in the parameters and substitute with another malicious serialized object, which leads to deserialization of untrusted data vulnerability. This could highly compromise the Confidentiality, Integrity, and Availability of the system.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41214 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the integrity and availability of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34822 βΌ
π Read
via "National Vulnerability Database".
Path traversal vulnerability in CLUSTERPRO X 5.0 for Windows and earlier, EXPRESSCLUSTER X 5.0 for Windows and earlier, CLUSTERPRO X 5.0 SingleServerSafe for Windows and earlier, EXPRESSCLUSTER X 5.0 SingleServerSafe for Windows and earlier allows a remote unauthenticated attacker to overwrite existing files on the file system and to potentially execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30515 βΌ
π Read
via "National Vulnerability Database".
ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39328 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43144 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.π Read
via "National Vulnerability Database".
βοΈ Patch Tuesday, November 2022 Election Edition βοΈ
π Read
via "Krebs on Security".
Let's face it: Having β2022 electionβ in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.π Read
via "Krebs on Security".
Krebsonsecurity
Patch Tuesday, November 2022 Election Edition
Let's face it: Having β2022 electionβ in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we'veβ¦
βΌ CVE-2022-3887 βΌ
π Read
via "National Vulnerability Database".
Use after free in Web Workers in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".