π΄ Piiano Equips Developers to Stop Sensitive Data Breaches π΄
π Read
via "Dark Reading".
Data protection company Piiano officially launches a vault for sensitive customer data, the first among a suite of privacy tools for developers.π Read
via "Dark Reading".
Dark Reading
Piiano Equips Developers to Stop Sensitive Data Breaches
Data protection company Piiano officially launches a vault for sensitive customer data, the first among a suite of privacy tools for developers.
β SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m β
π Read
via "Naked Security".
Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π€―1
π΄ Will New CISA Guidelines Help Bolster Cyber Defenses? π΄
π Read
via "Dark Reading".
Learn how BOD 23-01 asset inventory mandates can help all organizations tighten cybersecurity.π Read
via "Dark Reading".
Dark Reading
Will New CISA Guidelines Help Bolster Cyber Defenses?
Learn how BOD 23-01 asset inventory mandates can help all organizations tighten cybersecurity.
π₯1
βΌ CVE-2020-36565 βΌ
π Read
via "National Vulnerability Database".
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41720 βΌ
π Read
via "National Vulnerability Database".
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43581 βΌ
π Read
via "National Vulnerability Database".
IBM Content Navigator 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, and 3.0.12 is vulnerable to missing authorization and could allow an authenticated user to load external plugins and execute code. IBM X-Force ID: 238805.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44393 βΌ
π Read
via "National Vulnerability Database".
Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/view_service&id=.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-41735 βΌ
π Read
via "National Vulnerability Database".
IBM Business Process Manager 21.0.1 through 21.0.3.1, 20.0.0.1 through 20.0.0.2 19.0.0.1 through 19.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 65687.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44361 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44371 βΌ
π Read
via "National Vulnerability Database".
hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE).π Read
via "National Vulnerability Database".
π΄ 4 Arrested for Filing Fake Tax Returns With Stolen Data π΄
π Read
via "Dark Reading".
Cybercrooks allegedly stole personal data, used it to file IRS tax documents, and routed refunds to bank accounts under their control.π Read
via "Dark Reading".
Dark Reading
4 Arrested for Filing Fake Tax Returns With Stolen Data
Cybercrooks allegedly stole personal data, used it to file IRS tax documents, and routed refunds to bank accounts under their control.
βΌ CVE-2022-45550 βΌ
π Read
via "National Vulnerability Database".
AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE).π Read
via "National Vulnerability Database".
βΌ CVE-2022-46770 βΌ
π Read
via "National Vulnerability Database".
qubes-mirage-firewall (aka Mirage firewall for QubesOS) 0.8.x through 0.8.3 allows guest OS users to cause a denial of service (CPU consumption and loss of forwarding) via a crafted multicast UDP packet (IP address range of 224.0.0.0 through 239.255.255.255).π Read
via "National Vulnerability Database".
βΌ CVE-2022-44373 βΌ
π Read
via "National Vulnerability Database".
A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44351 βΌ
π Read
via "National Vulnerability Database".
Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php.π Read
via "National Vulnerability Database".
π΄ Key Security Announcements From AWS re:Invent 2022 π΄
π Read
via "Dark Reading".
At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.π Read
via "Dark Reading".
Dark Reading
Key Security Announcements From AWS re:Invent 2022
At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.
π΄ Fraudsters Siphon $360M from Retailers Using 50M Fake Shoppers π΄
π Read
via "Dark Reading".
Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions.π Read
via "Dark Reading".
Dark Reading
Fraudsters Siphon $360M From Retailers Using 50M Fake Shoppers
Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions.
π€1
βΌ CVE-2022-23487 βΌ
π Read
via "National Vulnerability Database".
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2pΓ’β¬β’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the hostΓ’β¬β’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4341 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in csliuwy coder-chain_gdut and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /back/index.php/user/User/?1. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215095.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23491 βΌ
π Read
via "National Vulnerability Database".
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23486 βΌ
π Read
via "National Vulnerability Database".
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victimΓ’β¬β’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.π Read
via "National Vulnerability Database".