βΌ CVE-2022-4207 βΌ
π Read
via "National Vulnerability Database".
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several values that can be added to an Image Hover in versions 9.8.1 to 9.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.π Read
via "National Vulnerability Database".
π΄ Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update π΄
π Read
via "Dark Reading".
Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.π Read
via "Dark Reading".
Dark Reading
Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update
Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.
π1
βοΈ FBIβs Vetted Info Sharing Network βInfraGardβ Hacked βοΈ
π Read
via "Krebs on Security".
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online -- using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.π Read
via "Krebs on Security".
Krebs on Security
FBIβs Vetted Info Sharing Network βInfraGardβ Hacked
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go upβ¦
π1
β COVID-bit: the wireless spyware trick with an unfortunate name β
π Read
via "Naked Security".
It's not the switching that's the problem, it's the switching of the switching!π Read
via "Naked Security".
Naked Security
COVID-bit: the wireless spyware trick with an unfortunate name
Itβs not the switching thatβs the problem, itβs the switching of the switching!
π1
β Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware β
π Read
via "Naked Security".
Tales of derring-do in the cyberunderground! (And some zero-days.)π Read
via "Naked Security".
Naked Security
Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware
Tales of derring-do in the cyberunderground! (And some zero-days.)
βΌ CVE-2022-42141 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Cross Site Scripting (XSS) via lform/urlfilter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42139 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42140 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Command Injection via lform/net_diagnose.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44874 βΌ
π Read
via "National Vulnerability Database".
wasm3 commit 7890a2097569fde845881e0b352d813573e371f9 was discovered to contain a segmentation fault via the component op_CallIndirect at /m3_exec.h.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37155 βΌ
π Read
via "National Vulnerability Database".
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via a GET parameterπ Read
via "National Vulnerability Database".
βΌ CVE-2022-40264 βΌ
π Read
via "National Vulnerability Database".
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker.π Read
via "National Vulnerability Database".
π1
β Apple patches everything, finally reveals mystery of iOS 16.1.2 β
π Read
via "Naked Security".
There's an update for everything this time, not just for iOS.π Read
via "Naked Security".
Naked Security
Apple patches everything, finally reveals mystery of iOS 16.1.2
Thereβs an update for everything this time, not just for iOS.
βΌ CVE-2020-9420 βΌ
π Read
via "National Vulnerability Database".
The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24377 βΌ
π Read
via "National Vulnerability Database".
The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.π Read
via "National Vulnerability Database".
βΌ CVE-2020-9419 βΌ
π Read
via "National Vulnerability Database".
Multiple stored cross-site scripting (XSS) vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domain_name parameters present in the LAN configuration section of the administrative dashboard.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3590 βΌ
π Read
via "National Vulnerability Database".
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23501 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23504 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23503 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4437 βΌ
π Read
via "National Vulnerability Database".
Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)π Read
via "National Vulnerability Database".
ποΈ Akamai WAF bypassed via Spring Boot to trigger RCE ποΈ
π Read
via "The Daily Swig".
Akamai issued an update to resolve the flaw several months agoπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Akamai WAF bypassed via Spring Boot to trigger RCE
Akamai issued an update to resolve the flaw several months ago
π1