βΌ CVE-2022-3609 βΌ
π Read
via "National Vulnerability Database".
The GetYourGuide Ticketing WordPress plugin before 1.0.4 does not sanitise and escape some parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)π Read
via "National Vulnerability Database".
βΌ CVE-2022-45275 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42716 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Arm Mali GPU Kernel Driver. There is a use-after-free. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r4p0 through r32p0, Bifrost r1p0 through r40p0, and Valhall r19p0 through r40P0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46904 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Self-XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41263 βΌ
π Read
via "National Vulnerability Database".
Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0925 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46903 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Stored XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41262 βΌ
π Read
via "National Vulnerability Database".
Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality and integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41261 βΌ
π Read
via "National Vulnerability Database".
SAP Solution Manager (Diagnostic Agent) - version 7.20, allows an authenticated attacker on Windows system to access a file containing sensitive data which can be used to access a configuration file which contains credentials to access other system files. Successful exploitation can make the attacker access files and systems for which he/she is not authorized.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46905 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an unauthenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46906 βΌ
π Read
via "National Vulnerability Database".
Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allows an authenticated attacker to inject arbitrary HTML tags into the page processed by the user's browser, including scripts in the JavaScript programming language, which leads to Reflected XSS.π Read
via "National Vulnerability Database".
π΄ Metaparasites & the Dark Web: Scammers Turn on Their Own π΄
π Read
via "Dark Reading".
Sophos research unveiled at Black Hat Europe details a thriving subeconomy of fraud on the cybercrime underground, aimed at Dark Web forum users.π Read
via "Dark Reading".
Darkreading
Metaparasites & the Dark Web: Scammers Turn on Their Own
Sophos research unveiled at Black Hat Europe details a thriving subeconomy of fraud on the cybercrime underground, aimed at Dark Web forum users.
π΄ Rash of New Ransomware Variants Springs Up in the Wild π΄
π Read
via "Dark Reading".
Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.π Read
via "Dark Reading".
Dark Reading
Rash of New Ransomware Variants Springs Up in the Wild
Vohuk, ScareCrow, and AESRT add to the ransomware chaos that organizations have to contend with on a daily basis.
βΌ CVE-2021-41943 βΌ
π Read
via "National Vulnerability Database".
Logrhythm Web Console 7.4.9 allows for HTML tag injection through Contextualize Action -> Create a new Contextualize Action -> Inject your HTML tag in the name field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3931 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45269 βΌ
π Read
via "National Vulnerability Database".
A directory traversal vulnerability in the component SCS.Web.Server.SPI/1.0 of Linx Sphere LINX 7.35.ST15 allows attackers to read arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41264 βΌ
π Read
via "National Vulnerability Database".
Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41267 βΌ
π Read
via "National Vulnerability Database".
SAP Business Objects Platform - versions 420, and 430, allows an attacker with normal BI user privileges to upload/replace any file on Business Objects server at the operating system level, enabling the attacker to take full control of the system causing a high impact on confidentiality, integrity, and availability of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41273 βΌ
π Read
via "National Vulnerability Database".
Due to improper input sanitization in SAP Sourcing and SAP Contract Lifecycle Management - version 1100, an attacker can redirect a user to a malicious website. In order to perform this attack, the attacker sends an email to the victim with a manipulated link that appears to be a legitimate SAP Sourcing URL, since the victim doesnΓ’β¬β’t suspect the threat, they click on the link, log in to SAP Sourcing and CLM and at this point, they get redirected to a malicious website.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41275 βΌ
π Read
via "National Vulnerability Database".
In SAP Solution Manager (Enterprise Search) - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impact on confidentiality and integrity.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41272 βΌ
π Read
via "National Vulnerability Database".
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application.π Read
via "National Vulnerability Database".