βΌ CVE-2020-6627 βΌ
π Read
via "National Vulnerability Database".
The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43363 βΌ
π Read
via "National Vulnerability Database".
** DISPUTED ** Telegram Web 15.3.1 allows XSS via a certain payload derived from a Target Corporation website. NOTE: some third parties have been unable to discern any relationship between the Pastebin information and a possible XSS finding.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41325 βΌ
π Read
via "National Vulnerability Database".
An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46382 βΌ
π Read
via "National Vulnerability Database".
RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has Insecure Permissions. After signing into Digital Rebar, users are issued authentication tokens tied to their account to perform actions within Digital Rebar. During the validation process of these tokens, Digital Rebar did not check if the user account still exists. Deleted Digital Rebar users could still use their tokens to perform actions within Digital Rebar.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38123 βΌ
π Read
via "National Vulnerability Database".
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46383 βΌ
π Read
via "National Vulnerability Database".
RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has exposed a privileged token via a public API endpoint (Incorrect Access Control). The token can be used to escalate privileges within the Digital Rebar system and grant full administrative access.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44289 βΌ
π Read
via "National Vulnerability Database".
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.π Read
via "National Vulnerability Database".
β Ping of death! FreeBSD fixes crashtastic bug in network tool β
π Read
via "Naked Security".
It's a venerable program, and this version had a venerable bug in it.π Read
via "Naked Security".
Naked Security
Ping of death! FreeBSD fixes crashtastic bug in network tool
Itβs a venerable program, and this version had a venerable bug in it.
β Number Nine! Chrome fixes another 2022 zero-day, Edge patched too β
π Read
via "Naked Security".
Ninth more unto the breach, dear friends, ninth more.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Name That Edge Toon: Not Your Average Bear π΄
π Read
via "Dark Reading".
Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Edge Toon: Not Your Average Bear
Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.
β SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m β
π Read
via "Naked Security".
Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ What Will It Take to Secure Critical Infrastructure? π΄
π Read
via "Dark Reading".
There's no quick fix after decades of underinvestment, but the process has started. Cybersecurity grants, mandatory reporting protocols, and beefed-up authentication requirements are being put in place.π Read
via "Dark Reading".
Dark Reading
What Will It Take to Secure Critical Infrastructure?
There's no quick fix after decades of underinvestment, but the process has started. Cybersecurity grants, mandatory reporting protocols, and beefed-up authentication requirements are being put in place.
βΌ CVE-2022-23470 βΌ
π Read
via "National Vulnerability Database".
Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30305 βΌ
π Read
via "National Vulnerability Database".
An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38379 βΌ
π Read
via "National Vulnerability Database".
Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40680 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34361 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Secure Proxy 6.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 230522.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23472 βΌ
π Read
via "National Vulnerability Database".
Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35843 βΌ
π Read
via "National Vulnerability Database".
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23466 βΌ
π Read
via "National Vulnerability Database".
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33875 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.π Read
via "National Vulnerability Database".