βΌ CVE-2022-3858 βΌ
π Read
via "National Vulnerability Database".
The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-3426 βΌ
π Read
via "National Vulnerability Database".
The Advanced WP Columns WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3909 βΌ
π Read
via "National Vulnerability Database".
The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3694 βΌ
π Read
via "National Vulnerability Database".
The Syncee WordPress plugin before 1.0.10 leaks the administrator token that can be used to take over the administrator's account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1540 βΌ
π Read
via "National Vulnerability Database".
The PostmagThemes Demo Import WordPress plugin through 1.0.7 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) leading to RCE.π Read
via "National Vulnerability Database".
π΄ Cybersecurity Should Focus on Managing Risk π΄
π Read
via "Dark Reading".
Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.π Read
via "Dark Reading".
Dark Reading
Cybersecurity Should Focus on Managing Risk
Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.
π΄ Cyberattack Shuts Down French Hospital π΄
π Read
via "Dark Reading".
Patients transferred and operations canceled following a recent network breach at a hospital in the outskirts of Paris.π Read
via "Dark Reading".
Dark Reading
Cyberattack Shuts Down French Hospital
Patients transferred and operations canceled following a recent network breach at a hospital in the outskirts of Paris.
βοΈ Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google βοΈ
π Read
via "Krebs on Security".
In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google's legal fees.π Read
via "Krebs on Security".
Krebs on Security
Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google
In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortiousβ¦
π΄ Hive Social Buzzing With Security Flaws, Analysts Warn π΄
π Read
via "Dark Reading".
Twitter alternative Hive Social took down its servers after researchers discovered several critical vulnerabilities.π Read
via "Dark Reading".
Dark Reading
Hive Social Buzzing With Security Flaws, Analysts Warn
Twitter alternative Hive Social took down its servers after researchers discovered several critical vulnerabilities.
βΌ CVE-2022-43516 βΌ
π Read
via "National Vulnerability Database".
A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI)π Read
via "National Vulnerability Database".
βΌ CVE-2022-43097 βΌ
π Read
via "National Vulnerability Database".
Phpgurukul User Registration & User Management System v3.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & login pages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43515 βΌ
π Read
via "National Vulnerability Database".
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-4292 βΌ
π Read
via "National Vulnerability Database".
Use After Free in GitHub repository vim/vim prior to 9.0.0882.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23467 βΌ
π Read
via "National Vulnerability Database".
OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4293 βΌ
π Read
via "National Vulnerability Database".
Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45771 βΌ
π Read
via "National Vulnerability Database".
An issue in the /api/audits component of Pwndoc v0.5.3 allows attackers to escalate privileges and execute arbitrary code via uploading a crafted audit file.π Read
via "National Vulnerability Database".
π΄ Wiper, Disguised as Fake Ransomware, Targets Russian Orgs π΄
π Read
via "Dark Reading".
The program, dubbed CryWiper, is aimed at Russian targets; it requests a ransom but has no way to decrypt any overwritten files.π Read
via "Dark Reading".
Dark Reading
Wiper, Disguised as Fake Ransomware, Targets Russian Orgs
The program, dubbed CryWiper, is aimed at Russian targets; it requests a ransom but has no way to decrypt any overwritten files.
βΌ CVE-2022-43557 βΌ
π Read
via "National Vulnerability Database".
The BD BodyGuardΓ’βΒ’ infusion pumps specified allow for access through the RS-232 (serial) port interface. If exploited, threat actors with physical access, specialized equipment and knowledge may be able to configure or disable the pump. No electronic protected health information (ePHI), protected health information (PHI) or personally identifiable information (PII) is stored in the pump.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37783 βΌ
π Read
via "National Vulnerability Database".
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45481 βΌ
π Read
via "National Vulnerability Database".
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:Hπ Read
via "National Vulnerability Database".
βΌ CVE-2022-35254 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker can cause a denial-of-service to the following products: Ivanti Connect Secure (ICS) in versions prior to 9.1R14.3, 9.1R15.2, 9.1R16.2, and 22.2R4, Ivanti Policy Secure (IPS) in versions prior to 9.1R17 and 22.3R1, and Ivanti Neurons for Zero-Trust Access in versions prior to 22.3R1.π Read
via "National Vulnerability Database".