βΌ CVE-2022-46383 βΌ
π Read
via "National Vulnerability Database".
RackN Digital Rebar through 4.6.14, 4.7 through 4.7.22, 4.8 through 4.8.5, 4.9 through 4.9.12, and 4.10 through 4.10.8 has exposed a privileged token via a public API endpoint (Incorrect Access Control). The token can be used to escalate privileges within the Digital Rebar system and grant full administrative access.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44289 βΌ
π Read
via "National Vulnerability Database".
Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell.π Read
via "National Vulnerability Database".
β Ping of death! FreeBSD fixes crashtastic bug in network tool β
π Read
via "Naked Security".
It's a venerable program, and this version had a venerable bug in it.π Read
via "Naked Security".
Naked Security
Ping of death! FreeBSD fixes crashtastic bug in network tool
Itβs a venerable program, and this version had a venerable bug in it.
β Number Nine! Chrome fixes another 2022 zero-day, Edge patched too β
π Read
via "Naked Security".
Ninth more unto the breach, dear friends, ninth more.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Name That Edge Toon: Not Your Average Bear π΄
π Read
via "Dark Reading".
Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Edge Toon: Not Your Average Bear
Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.
β SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m β
π Read
via "Naked Security".
Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ What Will It Take to Secure Critical Infrastructure? π΄
π Read
via "Dark Reading".
There's no quick fix after decades of underinvestment, but the process has started. Cybersecurity grants, mandatory reporting protocols, and beefed-up authentication requirements are being put in place.π Read
via "Dark Reading".
Dark Reading
What Will It Take to Secure Critical Infrastructure?
There's no quick fix after decades of underinvestment, but the process has started. Cybersecurity grants, mandatory reporting protocols, and beefed-up authentication requirements are being put in place.
βΌ CVE-2022-23470 βΌ
π Read
via "National Vulnerability Database".
Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30305 βΌ
π Read
via "National Vulnerability Database".
An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38379 βΌ
π Read
via "National Vulnerability Database".
Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40680 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34361 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Secure Proxy 6.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 230522.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23472 βΌ
π Read
via "National Vulnerability Database".
Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35843 βΌ
π Read
via "National Vulnerability Database".
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23466 βΌ
π Read
via "National Vulnerability Database".
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33875 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45326 βΌ
π Read
via "National Vulnerability Database".
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33876 βΌ
π Read
via "National Vulnerability Database".
Multiple instances of improper input validation vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to retrieve files with specific extension from the underlying Linux system via crafted HTTP requests.π Read
via "National Vulnerability Database".
π΄ Google Chrome Flaw Added to CISA Patch List π΄
π Read
via "Dark Reading".
CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.π Read
via "Dark Reading".
Dark Reading
Google Chrome Flaw Added to CISA Patch List
CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.
π΄ Russia Readies Winter Cyberattacks As Troops Retreat From Ukraine π΄
π Read
via "Dark Reading".
Microsoft warns that the Kremlin is ramping up cyberattacks against infrastructure and supply chains and starting disinformation campaigns as Russian troops lose on the battlefield.π Read
via "Dark Reading".
Dark Reading
Russia Readies Winter Cyberattacks As Troops Retreat From Ukraine
Microsoft warns that the Kremlin is ramping up cyberattacks against infrastructure and supply chains and starting disinformation campaigns as Russian troops lose on the battlefield.
π2
π΄ Cambridge Centre for Risk Studies and Kivu Release Benchmark of Cost-Effective Responses to Cybercrime π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Cambridge Centre for Risk Studies and Kivu Release Benchmark of Cost-Effective Responses to Cybercrime
BERKELEY, Calif., Dec. 6, 2022 /PRNewswire/ -- In a report released today, The Cambridge Centre for Risk Studies (CCRS) and Kivu Consulting, Inc. have combined efforts to research and benchmark cost-effective responses to cybercrime. The research report,β¦