βΌ CVE-2022-30515 βΌ
π Read
via "National Vulnerability Database".
ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39328 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43144 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.π Read
via "National Vulnerability Database".
βοΈ Patch Tuesday, November 2022 Election Edition βοΈ
π Read
via "Krebs on Security".
Let's face it: Having β2022 electionβ in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we've patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November's patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild.π Read
via "Krebs on Security".
Krebsonsecurity
Patch Tuesday, November 2022 Election Edition
Let's face it: Having β2022 electionβ in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we'veβ¦
βΌ CVE-2022-3887 βΌ
π Read
via "National Vulnerability Database".
Use after free in Web Workers in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2022-3890 βΌ
π Read
via "National Vulnerability Database".
Heap buffer overflow in Crashpad in Google Chrome on Android prior to 107.0.5304.106 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2022-3886 βΌ
π Read
via "National Vulnerability Database".
Use after free in Speech Recognition in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2022-3889 βΌ
π Read
via "National Vulnerability Database".
Type confusion in V8 in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2022-3885 βΌ
π Read
via "National Vulnerability Database".
Use after free in V8 in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".
βΌ CVE-2022-3888 βΌ
π Read
via "National Vulnerability Database".
Use after free in WebCodecs in Google Chrome prior to 107.0.5304.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)π Read
via "National Vulnerability Database".
π±1
βΌ CVE-2022-39390 βΌ
π Read
via "National Vulnerability Database".
Octocat.js is a library used to render a set of options into an SVG. Versions prior to 1.2 are subject to JavaScript injection via user provided URLs. Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. This vulnerability was fixed in version 1.2 of octocat.js. As a workaround, writing an image to disk then using that image in an image element in HTML mitigates the risk.π Read
via "National Vulnerability Database".
π Zeek 5.0.3 π
π Read
via "Packet Storm Security".
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber-infrastructure. Zeek's user community includes major universities, research labs, supercomputing centers, and open-science communities. This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
Zeek 5.0.3 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
ποΈ CSS injection flaw patched in Acronis cloud management console ποΈ
π Read
via "The Daily Swig".
CSRF attacks could be triggered to access and exfiltrate informationπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
CSS injection flaw patched in Acronis cloud management console
CSRF attacks could be triggered to access and exfiltrate information
βΌ CVE-2022-43321 βΌ
π Read
via "National Vulnerability Database".
Shopwind v3.4.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the component /common/library/Page.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43320 βΌ
π Read
via "National Vulnerability Database".
FeehiCMS v2.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /web/admin/index.php?r=log%2Fview-layer.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31253 βΌ
π Read
via "National Vulnerability Database".
A Untrusted Search Path vulnerability in openldap2 of openSUSE Factory allows local attackers with control of the ldap user or group to change ownership of arbitrary directory entries to this user/group, leading to escalation to root. This issue affects: openSUSE Factory openldap2 versions prior to 2.6.3-404.1.π Read
via "National Vulnerability Database".
β Silk Road drugs market hacker pleads guilty, faces 20 years inside β
π Read
via "Naked Security".
Jurisprudence isn't like arithmetic... two negatives never make a positive!π Read
via "Naked Security".
Naked Security
Silk Road drugs market hacker pleads guilty, faces 20 years inside
Jurisprudence isnβt like arithmeticβ¦ two negatives never make a positive!
β Exchange 0-days fixed (at last) β plus 4 brand new Patch Tuesday 0-days! β
π Read
via "Naked Security".
In all the excitement, we kind of lost count ourselves. Were there six 0-days, or only four?π Read
via "Naked Security".
Naked Security
Exchange 0-days fixed (at last) β plus 4 brand new Patch Tuesday 0-days!
In all the excitement, we kind of lost track ourselves. Were there six 0-days, or only four?
βΌ CVE-2022-28689 βΌ
π Read
via "National Vulnerability Database".
A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-32588 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds write vulnerability exists in the PICT parsing pctwread_14841 functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34577 βΌ
π Read
via "National Vulnerability Database".
In the Kaden PICOFLUX AiR water meter an adversary can read the values through wireless M-Bus mode 5 with a hardcoded shared key while being adjacent to the device.π Read
via "National Vulnerability Database".