‼ CVE-2022-41266 ‼
📖 Read
via "National Vulnerability Database".
Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4444 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in ipti br.tag. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 2.13.0 is able to address this issue. The name of the patch is 7e311be22d3a0a1b53e61cb987ba13d681d85f06. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215431.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46160 ‼
📖 Read
via "National Vulnerability Database".
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.104, project level authorizations are not properly verified when accessing the project "homepage"/dashboards. Users not authorized to access a project may still be able to get some information provided by the widgets (e.g. number of members, content of the Notes widget...). This issue has been patched in Tuleap Community Edition 14.2.99.104, Tuleap Enterprise Edition 14.2-4, and Tuleap Enterprise Edition 14.1-5.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23473 ‼
📖 Read
via "National Vulnerability Database".
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23523 ‼
📖 Read
via "National Vulnerability Database".
In versions prior to 0.8.1, the linux-loader crate uses the offsets and sizes provided in the ELF headers to determine the offsets to read from. If those offsets point beyond the end of the file this could lead to Virtual Machine Monitors using the `linux-loader` crate entering an infinite loop if the ELF header of the kernel they are loading was modified in a malicious manner. This issue has been addressed in 0.8.1. The issue can be mitigated by ensuring that only trusted kernel images are loaded or by verifying that the headers do not point beyond the end of the file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41915 ‼
📖 Read
via "National Vulnerability Database".
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4098 ‼
📖 Read
via "National Vulnerability Database".
Multiple Wiesemann&Theis products of the ComServer Series are prone to an authentication bypass through IP spoofing. During an authenticated session to the WBM of the Com-Server an unauthenticated attacker in the same subnet can obtain the session ID and through IP spoofing change arbitrary settings by crafting modified HTTP Get requests. This may result in a complete takeover of the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23505 ‼
📖 Read
via "National Vulnerability Database".
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. This issue is patched in version 4.6.3. Use of SAML2 authentication instead of WSFed is a workaround.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46061 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 is vulnerable to ClickJacking.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38124 ‼
📖 Read
via "National Vulnerability Database".
Debug tool in Secomea SiteManager allows logged-in administrator to modify system state in an unintended manner.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46047 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 is vulnerable to SQL Injection via the delete parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46058 ‼
📖 Read
via "National Vulnerability Database".
AeroCMS v0.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.📖 Read
via "National Vulnerability Database".
🕴 The Cybersecurity Industry Doesn't Have a Stress Problem — It Has a Leadership Problem 🕴
📖 Read
via "Dark Reading".
Organizations need servant leaders to step forward and make their teams' professional effectiveness and happiness a priority.📖 Read
via "Dark Reading".
Dark Reading
The Cybersecurity Industry Doesn't Have a Stress Problem — It Has a Leadership Problem
Organizations need servant leaders to step forward and make their teams' professional effectiveness and happiness a priority.
🕴 Uber Breached, Again, After Attackers Compromise Third-Party Cloud 🕴
📖 Read
via "Dark Reading".
Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.📖 Read
via "Dark Reading".
Dark Reading
Uber Breached, Again, After Attackers Compromise Third-Party Cloud
Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.
🕴 Third Annual Global CISO Report Identifies Significant Shifts in Hiring and Retaining Security Talent 🕴
📖 Read
via "Dark Reading".
Research from Marlin Hawk also shows a 15% increase in CISOs holding STEM-related degrees year-over-year, diversifying the succession talent pool.📖 Read
via "Dark Reading".
Dark Reading
Third Annual Global CISO Report Identifies Significant Shifts in Hiring and Retaining Security Talent
Research from Marlin Hawk also shows a 15% increase in CISOs holding STEM-related degrees year-over-year, diversifying the succession talent pool.
🕴 Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest 🕴
📖 Read
via "Dark Reading".
Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.📖 Read
via "Dark Reading".
Dark Reading
Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest
Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.
🕴 Report: 79% of Employees Are Distracted at Work Amid a Year of Permacrisis 🕴
📖 Read
via "Dark Reading".
1Password's annual State of Access report reveals that distracted employees are twice as likely to do the bare minimum for security at work.📖 Read
via "Dark Reading".
Dark Reading
Report: 79% of Employees Are Distracted at Work Amid a Year of Permacrisis
1Password's annual State of Access report reveals that distracted employees are twice as likely to do the bare minimum for security at work.
🕴 Niels Provos Joins Lacework as Head of Security Efficacy 🕴
📖 Read
via "Dark Reading".
Former Head of Security at Stripe and Distinguished Security Engineer at Google joins cloud security leader to help scale security excellence across customer base.📖 Read
via "Dark Reading".
Dark Reading
Niels Provos Joins Lacework as Head of Security Efficacy
Former Head of Security at Stripe and Distinguished Security Engineer at Google joins cloud security leader to help scale security excellence across customer base.
🕴 Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce 🕴
📖 Read
via "Dark Reading".
Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.📖 Read
via "Dark Reading".
Dark Reading
Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce
Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.
🗓️ Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne 🗓️
📖 Read
via "The Daily Swig".
Impact of cloud migration and shift to remote work evident in new report📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne
Impact of cloud migration and shift to remote work evident in new report