‼ CVE-2022-41272 ‼
📖 Read
via "National Vulnerability Database".
An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data across the entire system. This allows the attacker to have full read access to user data, make limited modifications to user data, and degrade the performance of the system, leading to a high impact on confidentiality and a limited impact on the availability and integrity of the application.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41274 ‼
📖 Read
via "National Vulnerability Database".
SAP Disclosure Management - version 10.1, allows an authenticated attacker to exploit certain misconfigured application endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can lead to the exposure of data like financial reports.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41271 ‼
📖 Read
via "National Vulnerability Database".
An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability affects local users and data, leading to a considerable impact on confidentiality as well as availability and a limited impact on the integrity of the application. These operations can be used to: * Read any information * Modify sensitive information * Denial of Service attacks (DoS) * SQL Injection📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41268 ‼
📖 Read
via "National Vulnerability Database".
In some SAP standard roles in SAP Business Planning and Consolidation - versions - SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, DWCORE 200, 300, CPMBPC 810, a transaction code reserved for the customer is used. By implementing such transaction code, a malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41266 ‼
📖 Read
via "National Vulnerability Database".
Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4444 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in ipti br.tag. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.13.0 is able to address this issue. The name of the patch is 7e311be22d3a0a1b53e61cb987ba13d681d85f06. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215431.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46160 ‼
📖 Read
via "National Vulnerability Database".
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to get some information provided by the widgets (e.g. number of members, content of the Notes widget...). This issue has been patched in Tuleap Community Edition 14.2.99.104, Tuleap Enterprise Edition 14.2-4, and Tuleap Enterprise Edition 14.1-5.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23473 ‼
📖 Read
via "National Vulnerability Database".
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23523 ‼
📖 Read
via "National Vulnerability Database".
In versions prior to 0.8.1, the linux-loader crate uses the offsets and sizes provided in the ELF headers to determine the offsets to read from. If those offsets point beyond the end of the file this could lead to Virtual Machine Monitors using the `linux-loader` crate entering an infinite loop if the ELF header of the kernel they are loading was modified in a malicious manner. This issue has been addressed in 0.8.1. The issue can be mitigated by ensuring that only trusted kernel images are loaded or by verifying that the headers do not point beyond the end of the file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41915 ‼
📖 Read
via "National Vulnerability Database".
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4098 ‼
📖 Read
via "National Vulnerability Database".
Multiple Wiesemann&Theis products of the ComServer Series are prone to an authentication bypass through IP spoofing. During an authenticated session to the WBM of the Com-Server an unauthenticated attacker in the same subnet can obtain the session ID and through IP spoofing change arbitrary settings by crafting modified HTTP Get requests. This may result in a complete takeover of the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23505 ‼
📖 Read
via "National Vulnerability Database".
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46061 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 is vulnerable to ClickJacking.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38124 ‼
📖 Read
via "National Vulnerability Database".
Debug tool in Secomea SiteManager allows logged-in administrator to modify system state in an unintended manner.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46047 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46058 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.📖 Read
via "National Vulnerability Database".
🕴 The Cybersecurity Industry Doesn't Have a Stress Problem — It Has a Leadership Problem 🕴
📖 Read
via "Dark Reading".
Organizations need servant leaders to step forward and make their teams' professional effectiveness and happiness a priority.📖 Read
via "Dark Reading".
Dark Reading
The Cybersecurity Industry Doesn't Have a Stress Problem — It Has a Leadership Problem
Organizations need servant leaders to step forward and make their teams' professional effectiveness and happiness a priority.
🕴 Uber Breached, Again, After Attackers Compromise Third-Party Cloud 🕴
📖 Read
via "Dark Reading".
Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.📖 Read
via "Dark Reading".
Dark Reading
Uber Breached, Again, After Attackers Compromise Third-Party Cloud
Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.
🕴 Third Annual Global CISO Report Identifies Significant Shifts in Hiring and Retaining Security Talent 🕴
📖 Read
via "Dark Reading".
Research from Marlin Hawk also shows a 15% increase in CISOs holding STEM-related degrees year-over-year, diversifying the succession talent pool.📖 Read
via "Dark Reading".
Dark Reading
Third Annual Global CISO Report Identifies Significant Shifts in Hiring and Retaining Security Talent
Research from Marlin Hawk also shows a 15% increase in CISOs holding STEM-related degrees year-over-year, diversifying the succession talent pool.
🕴 Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest 🕴
📖 Read
via "Dark Reading".
Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.📖 Read
via "Dark Reading".
Dark Reading
Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest
Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.
🕴 Report: 79% of Employees Are Distracted at Work Amid a Year of Permacrisis 🕴
📖 Read
via "Dark Reading".
1Password's annual State of Access report reveals that distracted employees are twice as likely to do the bare minimum for security at work.📖 Read
via "Dark Reading".
Dark Reading
Report: 79% of Employees Are Distracted at Work Amid a Year of Permacrisis
1Password's annual State of Access report reveals that distracted employees are twice as likely to do the bare minimum for security at work.