βΌ CVE-2022-41735 βΌ
π Read
via "National Vulnerability Database".
IBM Business Process Manager 21.0.1 through 21.0.3.1, 20.0.0.1 through 20.0.0.2 19.0.0.1 through 19.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 65687.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44361 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44371 βΌ
π Read
via "National Vulnerability Database".
hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE).π Read
via "National Vulnerability Database".
π΄ 4 Arrested for Filing Fake Tax Returns With Stolen Data π΄
π Read
via "Dark Reading".
Cybercrooks allegedly stole personal data, used it to file IRS tax documents, and routed refunds to bank accounts under their control.π Read
via "Dark Reading".
Dark Reading
4 Arrested for Filing Fake Tax Returns With Stolen Data
Cybercrooks allegedly stole personal data, used it to file IRS tax documents, and routed refunds to bank accounts under their control.
βΌ CVE-2022-45550 βΌ
π Read
via "National Vulnerability Database".
AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE).π Read
via "National Vulnerability Database".
βΌ CVE-2022-46770 βΌ
π Read
via "National Vulnerability Database".
qubes-mirage-firewall (aka Mirage firewall for QubesOS) 0.8.x through 0.8.3 allows guest OS users to cause a denial of service (CPU consumption and loss of forwarding) via a crafted multicast UDP packet (IP address range of 224.0.0.0 through 239.255.255.255).π Read
via "National Vulnerability Database".
βΌ CVE-2022-44373 βΌ
π Read
via "National Vulnerability Database".
A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44351 βΌ
π Read
via "National Vulnerability Database".
Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php.π Read
via "National Vulnerability Database".
π΄ Key Security Announcements From AWS re:Invent 2022 π΄
π Read
via "Dark Reading".
At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.π Read
via "Dark Reading".
Dark Reading
Key Security Announcements From AWS re:Invent 2022
At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.
π΄ Fraudsters Siphon $360M from Retailers Using 50M Fake Shoppers π΄
π Read
via "Dark Reading".
Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions.π Read
via "Dark Reading".
Dark Reading
Fraudsters Siphon $360M From Retailers Using 50M Fake Shoppers
Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions.
π€1
βΌ CVE-2022-23487 βΌ
π Read
via "National Vulnerability Database".
js-libp2p is the official javascript Implementation of libp2p networking stack. Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2pΓ’β¬β’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the hostΓ’β¬β’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to update their js-libp2p dependency to `v0.38.0` or greater. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4341 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in csliuwy coder-chain_gdut and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /back/index.php/user/User/?1. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215095.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23491 βΌ
π Read
via "National Vulnerability Database".
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23486 βΌ
π Read
via "National Vulnerability Database".
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victimΓ’β¬β’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23492 βΌ
π Read
via "National Vulnerability Database".
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2pΓ’β¬β’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the hostΓ’β¬β’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23476 βΌ
π Read
via "National Vulnerability Database".
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4349 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215109 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46792 βΌ
π Read
via "National Vulnerability Database".
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)π Read
via "National Vulnerability Database".
βΌ CVE-2020-36609 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in annyshow DuxCMS 2.1. It has been classified as problematic. This affects an unknown part of the file admin.php&r=article/AdminContent/edit of the component Article Handler. The manipulation of the argument content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215115.π Read
via "National Vulnerability Database".
ποΈ NodeBB prototype pollution flaw could lead to account takeover ποΈ
π Read
via "The Daily Swig".
βNot a prototype pollution vulnerability as you might normally understand itβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
NodeBB prototype pollution flaw could lead to account takeover
βNot a prototype pollution vulnerability as you might normally understand itβ
π1
π΄ Where to Find the Best Open Source Security Technology π΄
π Read
via "Dark Reading".
A free resource, updated monthly, lists the most-popular, highly rated OSS projects.π Read
via "Dark Reading".
Dark Reading
Where to Find the Best Open Source Security Technology
A free resource, updated monthly, lists the most-popular, highly rated OSS projects.
π1