βΌ CVE-2022-43556 βΌ
π Read
via "National Vulnerability Database".
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44039 βΌ
π Read
via "National Vulnerability Database".
Franklin Fueling System FFS Colibri 1.9.22.8925 is affected by: File system overwrite. The impact is: File system rewrite (remote). ΓΒΆΓΒΆ An attacker can overwrite system files like [system.conf] and [passwd], this occurs because the insecure usage of "fopen" system function with the mode "wb" which allows overwriting file if exists. Overwriting files such as passwd, allows an attacker to escalate his privileges by planting backdoor user with root privilege or change root password.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34181 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in TomExam 3.0 via p_name parameter to list.thtml.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43548 βΌ
π Read
via "National Vulnerability Database".
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42705 βΌ
π Read
via "National Vulnerability Database".
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40259 βΌ
π Read
via "National Vulnerability Database".
AMI MegaRAC Redfish Arbitrary Code Executionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-45912 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, and traverse to any other directory for remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30122 βΌ
π Read
via "National Vulnerability Database".
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42706 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34881 βΌ
π Read
via "National Vulnerability Database".
Generation of Error Message Containing Sensitive Information vulnerability in Hitachi JP1/Automatic Operation allows local users to gain sensitive information. This issue affects JP1/Automatic Operation: from 10-00 through 10-54-03, from 11-00 before 11-51-09, from 12-00 before 12-60-01.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25912 βΌ
π Read
via "National Vulnerability Database".
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-2434306).π Read
via "National Vulnerability Database".
π₯1
βΌ CVE-2022-40603 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victimΓ’β¬β’s browser.π Read
via "National Vulnerability Database".
π₯1
βΌ CVE-2022-24439 βΌ
π Read
via "National Vulnerability Database".
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.π Read
via "National Vulnerability Database".
π₯1
βΌ CVE-2022-46151 βΌ
π Read
via "National Vulnerability Database".
Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or `unsafe-inline` is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.π Read
via "National Vulnerability Database".
π2π₯1
βΌ CVE-2022-42761 βΌ
π Read
via "National Vulnerability Database".
In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42779 βΌ
π Read
via "National Vulnerability Database".
In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42771 βΌ
π Read
via "National Vulnerability Database".
In wlan driver, there is a race condition, This could lead to local denial of service in wlan services.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39102 βΌ
π Read
via "National Vulnerability Database".
In power management service, there is a missing permission check. This could lead to set up power management service with no additional execution privileges needed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42764 βΌ
π Read
via "National Vulnerability Database".
In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42769 βΌ
π Read
via "National Vulnerability Database".
In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.π Read
via "National Vulnerability Database".
π΄ Machine Learning Models: A Dangerous New Attack Vector π΄
π Read
via "Dark Reading".
Threat actors can weaponize code within AI technology to gain initial network access, move laterally, deploy malware, steal data, or even poison an organization's supply chain.π Read
via "Dark Reading".
Dark Reading
Machine Learning Models: A Dangerous New Attack Vector
Threat actors can weaponize code within AI technology to gain initial network access, move laterally, deploy malware, steal data, or even poison an organization's supply chain.