📢 GitHub launches private vulnerability reporting to secure the software supply chain 📢
📖 Read
via "ITPro".
The new platform aims to simplify vulnerability disclosure and minimise instances where researchers avoid reporting out of personal convenience📖 Read
via "ITPro".
ITPro
GitHub launches private vulnerability reporting to secure the software supply chain
The new platform aims to simplify vulnerability disclosure and minimise instances where researchers avoid reporting out of personal convenience
📢 The rising tide of no-hook phishing 📢
📖 Read
via "ITPro".
Not all phishing attacks rely on links or attachments, which means you’ll have to be extra careful📖 Read
via "ITPro".
ITPro
The rising tide of no-hook phishing
Not all phishing attacks rely on links or attachments, which means you’ll have to be extra careful
👍1
📢 Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerability 📢
📖 Read
via "ITPro".
Mistakenly used drivers could allow hackers to modify the secure boot process📖 Read
via "ITPro".
ITPro
Lenovo patches ThinkPad, Yoga, IdeaPad UEFI secure boot vulnerability
Mistakenly used drivers could allow hackers to modify the secure boot process
‼ CVE-2022-44725 ‼
📖 Read
via "National Vulnerability Database".
OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43163 ‼
📖 Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /clients/view_client.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38461 ‼
📖 Read
via "National Vulnerability Database".
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43162 ‼
📖 Read
via "National Vulnerability Database".
Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /tests/view_test.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45072 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42903 ‼
📖 Read
via "National Vulnerability Database".
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44001 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43179 ‼
📖 Read
via "National Vulnerability Database".
Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/?page=user/manage_user&id=.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31608 ‼
📖 Read
via "National Vulnerability Database".
Proofpoint Enterprise Protection before 18.8.0 allows a Bypass of a Security Control.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45071 ‼
📖 Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3090 ‼
📖 Read
via "National Vulnerability Database".
Red Lion Controls Crimson 3.0 versions 707.000 and prior, Crimson 3.1 versions 3126.001 and prior, and Crimson 3.2 versions 3.2.0044.0 and prior are vulnerable to path traversal. When attempting to open a file using a specific path, the user's password hash is sent to an arbitrary host. This could allow an attacker to obtain user credential hashes.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-39389 ‼
📖 Read
via "National Vulnerability Database".
Lightning Network Daemon (lnd) is an implementation of a lightning bitcoin overlay network node. All lnd nodes before version `v0.15.4` are vulnerable to a block parsing bug that can cause a node to enter a degraded state once encountered. In this degraded state, nodes can continue to make payments and forward HTLCs, and close out channels. Opening channels is prohibited, and also on chain transaction events will be undetected. This can cause loss of funds if a CSV expiry is researched during a breach attempt or a CLTV delta expires forgetting the funds in the HTLC. A patch is available in `lnd` version 0.15.4. Users are advised to upgrade. Users unable to upgrade may use the `lncli updatechanpolicy` RPC call to increase their CLTV value to a very high amount or increase their fee policies. This will prevent nodes from routing through your node, meaning that no pending HTLCs can be present.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33897 ‼
📖 Read
via "National Vulnerability Database".
A buffer overflow in Synthesia before 10.7.5567, when a non-Latin locale is used, allows user-assisted attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes. This file is mishandled during a deletion attempt. In Synthesia before 10.9, an improper path handling allows local attackers to cause a denial of service (application crash) via a crafted MIDI file with malformed bytes.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43192 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in the component /dede/file_manage_control.php of Dedecms v5.7.101 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is related to an incomplete fix for CVE-2022-40886.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43183 ‼
📖 Read
via "National Vulnerability Database".
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.📖 Read
via "National Vulnerability Database".
🕴 Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages 🕴
📖 Read
via "Dark Reading".
Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.📖 Read
via "Dark Reading".
Dark Reading
Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages
Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.
‼ CVE-2022-44736 ‼
📖 Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Chameleon plugin <= 1.4.3 on WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38165 ‼
📖 Read
via "National Vulnerability Database".
WithSecure through 2022-08-10 allows attackers to cause a denial of service (issue 4 of 5).📖 Read
via "National Vulnerability Database".