‼ CVE-2022-3724 ‼
📖 Read
via "National Vulnerability Database".
Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29839 ‼
📖 Read
via "National Vulnerability Database".
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23493 ‼
📖 Read
via "National Vulnerability Database".
xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_mm_trans_process_drdynvc_channel_close() function. There are no known workarounds for this issue. Users are advised to upgrade.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23482 ‼
📖 Read
via "National Vulnerability Database".
xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. There are no known workarounds for this issue. Users are advised to upgrade.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23481 ‼
📖 Read
via "National Vulnerability Database".
xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_caps_process_confirm_active() function. There are no known workarounds for this issue. Users are advised to upgrade.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23477 ‼
📖 Read
via "National Vulnerability Database".
xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25629 ‼
📖 Read
via "National Vulnerability Database".
An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column)📖 Read
via "National Vulnerability Database".
🕴 Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool 🕴
📖 Read
via "Dark Reading".
MuddyWater joins threat groups BatLoader and Luna Moth, which have also been using Syncro to take over devices.📖 Read
via "Dark Reading".
Dark Reading
Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool
MuddyWater joins threat groups BatLoader and Luna Moth, which have also been using Syncro to take over devices.
‼ CVE-2022-41299 ‼
📖 Read
via "National Vulnerability Database".
IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4390 ‼
📖 Read
via "National Vulnerability Database".
A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers. IPv6 is enabled for the WAN interface by default on these devices. While there are firewall restrictions in place that define access restrictions for IPv4 traffic, these restrictions do not appear to be applied to the WAN interface for IPv6. This allows arbitrary access to any services running on the device that may be inadvertently listening via IPv6, such as the SSH and Telnet servers spawned on ports 22 and 23 by default. This misconfiguration could allow an attacker to interact with services only intended to be accessible by clients on the local network.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2993 ‼
📖 Read
via "National Vulnerability Database".
There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45290 ‼
📖 Read
via "National Vulnerability Database".
Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.📖 Read
via "National Vulnerability Database".
🕴 TikTok Banned on Govt. Devices; Will Private Sector Follow Suit? 🕴
📖 Read
via "Dark Reading".
Texas and Maryland this week joined three other states in prohibiting accessing the popular social media app from state-owned devices.📖 Read
via "Dark Reading".
Dark Reading
TikTok Banned on Govt. Devices; Will Private Sector Follow Suit?
Texas and Maryland this week joined three other states in prohibiting accessing the popular social media app from state-owned devices.
👍1👏1
‼ CVE-2022-34297 ‼
📖 Read
via "National Vulnerability Database".
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46157 ‼
📖 Read
via "National Vulnerability Database".
Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability. Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022. Users are advised to upgrade. Users unable to upgrade may Replace any reference to `<FilesMatch \.php$>` in their apache httpd configurations with: `<Location "/index.php">`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46166 ‼
📖 Read
via "National Vulnerability Database".
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44790 ‼
📖 Read
via "National Vulnerability Database".
Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if the survey id exists.📖 Read
via "National Vulnerability Database".
👍2
‼ CVE-2022-45292 ‼
📖 Read
via "National Vulnerability Database".
User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.📖 Read
via "National Vulnerability Database".
🔥1
‼ CVE-2022-23485 ‼
📖 Read
via "National Vulnerability Database".
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4396 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply a patch to fix this issue. The identifier VDB-215249 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45145 ‼
📖 Read
via "National Vulnerability Database".
egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS command execution during package installation via escape characters in a .egg file.📖 Read
via "National Vulnerability Database".