π΄ $275M Fine for Meta After Facebook Data Scrape π΄
π Read
via "Dark Reading".
Meta has been found in violation of Europe's GDPR rules requiring the social media giant to protect user data by 'design and default.'π Read
via "Dark Reading".
Dark Reading
$275M Fine for Meta After Facebook Data Scrape
Meta has been found in violation of Europe's GDPR rules requiring the social media giant to protect user data by "design and default."
π΄ Black Basta Gang Deploys Qakbot Malware in Aggressive Cyber Campaign π΄
π Read
via "Dark Reading".
The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organizationβs network.π Read
via "Dark Reading".
Dark Reading
Black Basta Gang Deploys Qakbot Malware in Aggressive Cyber Campaign
The ransomware group is using Qakbot to make the initial point of entry before moving laterally within an organizationβs network.
βΌ CVE-2022-41732 βΌ
π Read
via "National Vulnerability Database".
IBM Maximo Mobile 8.7 and 8.8 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 237407.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4169 βΌ
π Read
via "National Vulnerability Database".
The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.π Read
via "National Vulnerability Database".
π1
π΄ Cybersecurity Consolidation Continues, Even as Valuations Stall π΄
π Read
via "Dark Reading".
Financing and acquisitions are trending toward smaller deals, which means fewer high-valuation purchases and funding, but likely fewer post-merger layoffs as well.π Read
via "Dark Reading".
Dark Reading
Cybersecurity Consolidation Continues, Even as Valuations Stall
Financing and acquisitions are trending toward smaller deals, which means fewer high-valuation purchases and funding, but likely fewer post-merger layoffs as well.
βΌ CVE-2022-4104 βΌ
π Read
via "National Vulnerability Database".
A loop with an unreachable exit condition can be triggered by passing a crafted JPEG file to the Lepton image compression tool, resulting in a denial-of-service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38140 βΌ
π Read
via "National Vulnerability Database".
Auth. (contributor+) Arbitrary File Upload in SEO Plugin by Squirrly SEO plugin <= 12.1.10 on WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34654 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) in Virgial Berveling's Manage Notification E-mails plugin <= 1.8.2 on WordPress.π Read
via "National Vulnerability Database".
βοΈ U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer βοΈ
π Read
via "Krebs on Security".
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices.π Read
via "Krebs on Security".
Krebs on Security
U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based inβ¦
βΌ CVE-2022-38753 βΌ
π Read
via "National Vulnerability Database".
This update resolves a multi-factor authentication bypass attackπ Read
via "National Vulnerability Database".
βΌ CVE-2022-4129 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the Linux kernel's Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. A local user could use this flaw to potentially crash the system causing a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45224 βΌ
π Read
via "National Vulnerability Database".
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in Admin/add-admin.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45223 βΌ
π Read
via "National Vulnerability Database".
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24187 βΌ
π Read
via "National Vulnerability Database".
The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an attacker to discover sensitive information such as end-user email addresses, and their unique frame_token value of all other Ourphoto App end-users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41965 βΌ
π Read
via "National Vulnerability Database".
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to redirect users to sites outside of one's Opencast install, potentially facilitating phishing attacks or other security issues. This issue is fixed in Opencast 12.5 and newer.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45214 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-45921 βΌ
π Read
via "National Vulnerability Database".
FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4127 βΌ
π Read
via "National Vulnerability Database".
A NULL pointer dereference issue was discovered in the Linux kernel in io_files_update_with_index_alloc. A local user could use this flaw to potentially crash the system causing a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24190 βΌ
π Read
via "National Vulnerability Database".
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45221 βΌ
π Read
via "National Vulnerability Database".
Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in changepassword.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtnew_password parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24188 βΌ
π Read
via "National Vulnerability Database".
The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.π Read
via "National Vulnerability Database".