βΌ CVE-2022-4341 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in csliuwy coder-chain_gdut and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /back/index.php/user/User/?1. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215095.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23491 βΌ
π Read
via "National Vulnerability Database".
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23486 βΌ
π Read
via "National Vulnerability Database".
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victimΓ’β¬β’s process running out of memory and thus getting killed by its operating system. When executed continuously, this can lead to a denial of service attack, especially relevant on a larger scale when run against more than one node of a libp2p based network. Users are advised to upgrade to `libp2p` `v0.45.1` or above. Users unable to upgrade should reference the DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor their application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23492 βΌ
π Read
via "National Vulnerability Database".
go-libp2p is the offical libp2p implementation in the Go programming language. Version `0.18.0` and older of go-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2pΓ’β¬β’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the hostΓ’β¬β’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. Users are advised to upgrade their version of go-libp2p to version `0.18.1` or newer. Users unable to upgrade may consult the denial of service (dos) mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23476 βΌ
π Read
via "National Vulnerability Database".
Nokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4349 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215109 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46792 βΌ
π Read
via "National Vulnerability Database".
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)π Read
via "National Vulnerability Database".
βΌ CVE-2020-36609 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in annyshow DuxCMS 2.1. It has been classified as problematic. This affects an unknown part of the file admin.php&r=article/AdminContent/edit of the component Article Handler. The manipulation of the argument content leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215115.π Read
via "National Vulnerability Database".
ποΈ NodeBB prototype pollution flaw could lead to account takeover ποΈ
π Read
via "The Daily Swig".
βNot a prototype pollution vulnerability as you might normally understand itβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
NodeBB prototype pollution flaw could lead to account takeover
βNot a prototype pollution vulnerability as you might normally understand itβ
π1
π΄ Where to Find the Best Open Source Security Technology π΄
π Read
via "Dark Reading".
A free resource, updated monthly, lists the most-popular, highly rated OSS projects.π Read
via "Dark Reading".
Dark Reading
Where to Find the Best Open Source Security Technology
A free resource, updated monthly, lists the most-popular, highly rated OSS projects.
π1
π΄ (ISC)Β² Recruits 110,000 People Interested in a Cybersecurity Career in Three Months π΄
π Read
via "Dark Reading".
Rapid adoption showcases increased interest in cyber education and training for individuals looking to enter the field while helping decrease the workforce gap.π Read
via "Dark Reading".
Dark Reading
(ISC)Β² Recruits 110,000 People Interested in a Cybersecurity Career in Three Months
Rapid adoption showcases increased interest in cyber education and training for individuals looking to enter the field while helping decrease the workforce gap.
π΄ Phishing in the Cloud: We're Gonna Need a Bigger Boat π΄
π Read
via "Dark Reading".
SasS security is everyone's problem.π Read
via "Dark Reading".
Dark Reading
Phishing in the Cloud: We're Gonna Need a Bigger Boat
SasS security is everyone's problem.
π΄ Interpres Security Emerges from Stealth to Help Companies to Optimize Security Performance π΄
π Read
via "Dark Reading".
Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.π Read
via "Dark Reading".
Dark Reading
Interpres Security Emerges from Stealth to Help Companies to Optimize Security Performance
Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.
π TOR Virtual Network Tunneling Tool 0.4.7.12 π
π Read
via "Packet Storm Security".
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
TOR Virtual Network Tunneling Tool 0.4.7.12 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π Wireshark Analyzer 4.0.2 π
π Read
via "Packet Storm Security".
Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers. This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
Wireshark Analyzer 4.0.2 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2022-45509 βΌ
π Read
via "National Vulnerability Database".
Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the account parameter at /goform/addUserName.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41802 βΌ
π Read
via "National Vulnerability Database".
Kernel subsystem within OpenHarmony-v3.1.4 and prior versions in kernel_liteos_a has a kernel stack overflow vulnerability when call SysClockGetres. 4 bytes padding data from kernel stack are copied to user space incorrectly and leaked.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39903 βΌ
π Read
via "National Vulnerability Database".
Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45523 βΌ
π Read
via "National Vulnerability Database".
Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the page parameter at /goform/L7Im.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45501 βΌ
π Read
via "National Vulnerability Database".
Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/wifiSSIDset.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39915 βΌ
π Read
via "National Vulnerability Database".
Improper access control vulnerability in Calendar prior to versions 11.6.08.0 in Android Q(10), 12.2.11.3000 in Android R(11), 12.3.07.2000 in Android S(12), and 12.4.02.0 in Android T(13) allows attackers to access sensitive information via implicit intent.π Read
via "National Vulnerability Database".