‼ CVE-2022-40680 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34361 ‼
📖 Read
via "National Vulnerability Database".
IBM Sterling Secure Proxy 6.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 230522.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23472 ‼
📖 Read
via "National Vulnerability Database".
Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35843 ‼
📖 Read
via "National Vulnerability Database".
An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23466 ‼
📖 Read
via "National Vulnerability Database".
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33875 ‼
📖 Read
via "National Vulnerability Database".
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45326 ‼
📖 Read
via "National Vulnerability Database".
An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33876 ‼
📖 Read
via "National Vulnerability Database".
Multiple instances of improper input validation vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to retrieve files with specific extension from the underlying Linux system via crafted HTTP requests.📖 Read
via "National Vulnerability Database".
🕴 Google Chrome Flaw Added to CISA Patch List 🕴
📖 Read
via "Dark Reading".
CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.📖 Read
via "Dark Reading".
Dark Reading
Google Chrome Flaw Added to CISA Patch List
CISA gives agencies deadline to patch against Google Chrome bug being actively exploited in the wild.
🕴 Russia Readies Winter Cyberattacks As Troops Retreat From Ukraine 🕴
📖 Read
via "Dark Reading".
Microsoft warns that the Kremlin is ramping up cyberattacks against infrastructure and supply chains and starting disinformation campaigns as Russian troops lose on the battlefield.📖 Read
via "Dark Reading".
Dark Reading
Russia Readies Winter Cyberattacks As Troops Retreat From Ukraine
Microsoft warns that the Kremlin is ramping up cyberattacks against infrastructure and supply chains and starting disinformation campaigns as Russian troops lose on the battlefield.
👍2
🕴 Cambridge Centre for Risk Studies and Kivu Release Benchmark of Cost-Effective Responses to Cybercrime 🕴
📖 Read
via "Dark Reading".
📖 Read
via "Dark Reading".
Dark Reading
Cambridge Centre for Risk Studies and Kivu Release Benchmark of Cost-Effective Responses to Cybercrime
BERKELEY, Calif., Dec. 6, 2022 /PRNewswire/ -- In a report released today, The Cambridge Centre for Risk Studies (CCRS) and Kivu Consulting, Inc. have combined efforts to research and benchmark cost-effective responses to cybercrime. The research report,…
‼ CVE-2022-43867 ‼
📖 Read
via "National Vulnerability Database".
IBM Spectrum Scale 5.1.0.1 through 5.1.4.1 could allow a local attacker to execute arbitrary commands in the container. IBM X-Force ID: 239437.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46154 ‼
📖 Read
via "National Vulnerability Database".
Kodexplorer is a chinese language web based file manager and browser based code editor. Versions prior to 4.50 did not prevent unauthenticated users from requesting arbitrary files from the host OS file system. As a result any files available to the host process may be accessed by arbitrary users. This issue has been addressed in version 4.50. Users are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4147 ‼
📖 Read
via "National Vulnerability Database".
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44900 ‼
📖 Read
via "National Vulnerability Database".
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45548 ‼
📖 Read
via "National Vulnerability Database".
AyaCMS v3.1.2 has an Arbitrary File Upload vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43369 ‼
📖 Read
via "National Vulnerability Database".
AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46333 ‼
📖 Read
via "National Vulnerability Database".
The admin user interface in Proofpoint Enterprise Protection (PPS/PoD) contains a command injection vulnerability that enables an admin to execute commands beyond their allowed scope. This affects all versions 8.19.0 and below.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41560 ‼
📖 Read
via "National Vulnerability Database".
The Statement Set Upload via the Web Client component of TIBCO Software Inc.'s TIBCO Nimbus contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a Denial of Service Attack on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: version 10.5.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46332 ‼
📖 Read
via "National Vulnerability Database".
The Admin Smart Search feature in Proofpoint Enterprise Protection (PPS/PoD) contains a stored cross-site scripting vulnerability that enables an anonymous email sender to gain admin privileges within the user interface. This affects all versions 8.19.0 and below.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23475 ‼
📖 Read
via "National Vulnerability Database".
daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.📖 Read
via "National Vulnerability Database".