β Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware β
π Read
via "Naked Security".
Tales of derring-do in the cyberunderground! (And some zero-days.)π Read
via "Naked Security".
Naked Security
Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware
Tales of derring-do in the cyberunderground! (And some zero-days.)
βΌ CVE-2022-42141 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Cross Site Scripting (XSS) via lform/urlfilter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42139 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42140 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Command Injection via lform/net_diagnose.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44874 βΌ
π Read
via "National Vulnerability Database".
wasm3 commit 7890a2097569fde845881e0b352d813573e371f9 was discovered to contain a segmentation fault via the component op_CallIndirect at /m3_exec.h.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37155 βΌ
π Read
via "National Vulnerability Database".
RCE in SPIP 3.1.13 through 4.1.2 allows remote authenticated users to execute arbitrary code via a GET parameterπ Read
via "National Vulnerability Database".
βΌ CVE-2022-40264 βΌ
π Read
via "National Vulnerability Database".
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker.π Read
via "National Vulnerability Database".
π1
β Apple patches everything, finally reveals mystery of iOS 16.1.2 β
π Read
via "Naked Security".
There's an update for everything this time, not just for iOS.π Read
via "Naked Security".
Naked Security
Apple patches everything, finally reveals mystery of iOS 16.1.2
Thereβs an update for everything this time, not just for iOS.
βΌ CVE-2020-9420 βΌ
π Read
via "National Vulnerability Database".
The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24377 βΌ
π Read
via "National Vulnerability Database".
The package cycle-import-check before 1.3.2 are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization.π Read
via "National Vulnerability Database".
βΌ CVE-2020-9419 βΌ
π Read
via "National Vulnerability Database".
Multiple stored cross-site scripting (XSS) vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domain_name parameters present in the LAN configuration section of the administrative dashboard.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3590 βΌ
π Read
via "National Vulnerability Database".
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23501 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. In versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 TYPO3 is vulnerable to Improper Authentication. Restricting frontend login to specific users, organized in different storage folders (partitions), can be bypassed. A potential attacker might use this ambiguity in usernames to get access to a different account - however, credentials must be known to the adversary. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23504 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. Versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are subject to Sensitive Information Disclosure. Due to the lack of handling user-submitted YAML placeholder expressions in the site configuration backend module, attackers could expose sensitive internal information, such as system configuration or HTTP request messages of other website visitors. A valid backend user account having administrator privileges is needed to exploit this vulnerability. This issue has been patched in versions 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23503 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. Versions prior to 8.7.49, 9.5.38, 10.4.33, 11.5.20, and 12.1.1 are vulnerable to Code Injection. Due to the lack of separating user-submitted data from the internal configuration in the Form Designer backend module, it is possible to inject code instructions to be processed and executed via TypoScript as PHP code. The existence of individual TypoScript instructions for a particular form item and a valid backend user account with access to the form module are needed to exploit this vulnerability. This issue is patched in versions 8.7.49 ELTS, 9.5.38 ELTS, 10.4.33, 11.5.20, 12.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4437 βΌ
π Read
via "National Vulnerability Database".
Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)π Read
via "National Vulnerability Database".
ποΈ Akamai WAF bypassed via Spring Boot to trigger RCE ποΈ
π Read
via "The Daily Swig".
Akamai issued an update to resolve the flaw several months agoπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Akamai WAF bypassed via Spring Boot to trigger RCE
Akamai issued an update to resolve the flaw several months ago
π1
βΌ CVE-2022-4493 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in scifio. Affected by this vulnerability is the function downloadAndUnpackResource of the file src/test/java/io/scif/util/DefaultSampleFilesService.java of the component ZIP File Handler. The manipulation leads to path traversal. The attack can be launched remotely. The name of the patch is fcb0dbca0ec72b22fe0c9ddc8abc9cb188a0ff31. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215803.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4494 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in bspkrs MCPMappingViewer. Affected by this issue is the function extractZip of the file src/main/java/bspkrs/mmv/RemoteZipHandler.java of the component ZIP File Handler. The manipulation leads to path traversal. The attack may be launched remotely. The name of the patch is 6e602746c96b4756c271d080dae7d22ad804a1bd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215804.π Read
via "National Vulnerability Database".
π΄ Cybersecurity Drives Improvements in Business Goals π΄
π Read
via "Dark Reading".
Deloitte's Future of Cyber study highlights the fact that cybersecurity is an essential part of business success and should not be limited to just mitigating IT risks.π Read
via "Dark Reading".
π΄ Analysis Shows Attackers Favor PowerShell, File Obfuscation π΄
π Read
via "Dark Reading".
Aiming to give threat hunters a list of popular attack tactics, a cybersecurity team analyzed collections of real-world threat data to find attackers' most popular techniques.π Read
via "Dark Reading".
Dark Reading
Analysis Shows Attackers Favor PowerShell, File Obfuscation
Aiming to give threat hunters a list of popular attack tactics, a cybersecurity team analyzed collections of real-world threat data to find attackers' most popular techniques.
π1