‼ CVE-2022-25629 ‼
📖 Read
via "National Vulnerability Database".
An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column)📖 Read
via "National Vulnerability Database".
🕴 Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool 🕴
📖 Read
via "Dark Reading".
MuddyWater joins threat groups BatLoader and Luna Moth, which have also been using Syncro to take over devices.📖 Read
via "Dark Reading".
Dark Reading
Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool
MuddyWater joins threat groups BatLoader and Luna Moth, which have also been using Syncro to take over devices.
‼ CVE-2022-41299 ‼
📖 Read
via "National Vulnerability Database".
IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4390 ‼
📖 Read
via "National Vulnerability Database".
A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers. IPv6 is enabled for the WAN interface by default on these devices. While there are firewall restrictions in place that define access restrictions for IPv4 traffic, these restrictions do not appear to be applied to the WAN interface for IPv6. This allows arbitrary access to any services running on the device that may be inadvertently listening via IPv6, such as the SSH and Telnet servers spawned on ports 22 and 23 by default. This misconfiguration could allow an attacker to interact with services only intended to be accessible by clients on the local network.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2993 ‼
📖 Read
via "National Vulnerability Database".
There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45290 ‼
📖 Read
via "National Vulnerability Database".
Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.📖 Read
via "National Vulnerability Database".
🕴 TikTok Banned on Govt. Devices; Will Private Sector Follow Suit? 🕴
📖 Read
via "Dark Reading".
Texas and Maryland this week joined three other states in prohibiting accessing the popular social media app from state-owned devices.📖 Read
via "Dark Reading".
Dark Reading
TikTok Banned on Govt. Devices; Will Private Sector Follow Suit?
Texas and Maryland this week joined three other states in prohibiting accessing the popular social media app from state-owned devices.
👍1👏1
‼ CVE-2022-34297 ‼
📖 Read
via "National Vulnerability Database".
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46157 ‼
📖 Read
via "National Vulnerability Database".
Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability. Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022. Users are advised to upgrade. Users unable to upgrade may Replace any reference to `<FilesMatch \.php$>` in their apache httpd configurations with: `<Location "/index.php">`.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46166 ‼
📖 Read
via "National Vulnerability Database".
Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-44790 ‼
📖 Read
via "National Vulnerability Database".
Interspire Email Marketer through 6.5.1 allows SQL Injection via the surveys module. An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if the survey id exists.📖 Read
via "National Vulnerability Database".
👍2
‼ CVE-2022-45292 ‼
📖 Read
via "National Vulnerability Database".
User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.📖 Read
via "National Vulnerability Database".
🔥1
‼ CVE-2022-23485 ‼
📖 Read
via "National Vulnerability Database".
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an attacker with a valid invite link can create multiple users and join an organization they may not have been originally invited to. This issue was patched in version 22.11.0. Sentry SaaS customers do not need to take action. Self-hosted Sentry installs on systems which can not upgrade can disable the invite functionality until they are ready to deploy the patched version by editing their `sentry.conf.py` file (usually located at `~/.sentry/`).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4396 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib pyrdfa3 and classified as problematic. This issue affects the function _get_option of the file pyRdfa/__init__.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e. It is recommended to apply a patch to fix this issue. The identifier VDB-215249 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-45145 ‼
📖 Read
via "National Vulnerability Database".
egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS command execution during package installation via escape characters in a .egg file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4398 ‼
📖 Read
via "National Vulnerability Database".
Integer Overflow or Wraparound in GitHub repository radareorg/radare2 prior to 5.8.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4397 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 36b2d4abe20a6245e4f8df7a4b14e130b24d429d. It is recommended to apply a patch to fix this issue. VDB-215250 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4400 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in zbl1996 FS-Blog and classified as problematic. This issue affects some unknown processing of the component Title Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-215267.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4402 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in RainyGao DocSys 2.02.37. This affects an unknown part of the component ZIP File Decompression Handler. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215271.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4401 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in pallidlight online-course-selection-system. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-215268.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4407 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.9.📖 Read
via "National Vulnerability Database".