βΌ CVE-2022-31703 βΌ
π Read
via "National Vulnerability Database".
vRealize Network Insight (vRNI) directory traversal vulnerability in vRNI REST API. A malicious actor with network access to the vRNI REST API can read arbitrary files from the server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31701 βΌ
π Read
via "National Vulnerability Database".
VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31705 βΌ
π Read
via "National Vulnerability Database".
VMware ESXi, Workstation, and Fusion contain a heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI). A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23741 βΌ
π Read
via "National Vulnerability Database".
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31702 βΌ
π Read
via "National Vulnerability Database".
vRealize Network Insight (vRNI) contains a command injection vulnerability present in the vRNI REST API. A malicious actor with network access to the vRNI REST API can execute commands without authentication.π Read
via "National Vulnerability Database".
βοΈ Six Charged in Mass Takedown of DDoS-for-Hire Sites βοΈ
π Read
via "Krebs on Security".
The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold βbooterβ or βstresserβ services β businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.π Read
via "Krebs on Security".
Krebs on Security
Six Charged in Mass Takedown of DDoS-for-Hire Sites
The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold βbooterβ or βstresserβ services β businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knockβ¦
π΄ Cybereason Warns Global Organizations Against Destructive Ransomware Attacks From Black Basta Gang π΄
π Read
via "Dark Reading".
The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat.π Read
via "Dark Reading".
Dark Reading
Cybereason Warns Global Organizations Against Destructive Ransomware Attacks From Black Basta Gang
The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat.
π΄ NSA Slices Up 5G Mobile Security Risks π΄
π Read
via "Dark Reading".
The feds' mobile service provider guidance details cybersecurity threat vectors associated with 5G network slicing.π Read
via "Dark Reading".
Dark Reading
NSA Slices Up 5G Mobile Security Risks
The feds' mobile service provider guidance details cybersecurity threat vectors associated with 5G network slicing.
βΌ CVE-2022-3104 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel through 5.16-rc6. lkdtm_ARRAY_BOUNDS in drivers/misc/lkdtm/bugs.c lacks check of the return value of kmalloc() and will cause the null pointer dereference.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3105 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel through 5.16-rc6. uapi_finalize in drivers/infiniband/core/uverbs_uapi.c lacks check of kmalloc_array().π Read
via "National Vulnerability Database".
βΌ CVE-2022-46344 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in X.Org. This security flaw occurs because the handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47409 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Attackers can unsubscribe everyone via a series of modified subscription UIDs in deleteAction operations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4501 βΌ
π Read
via "National Vulnerability Database".
The Mega Addons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the vc_saving_data function in versions up to, and including, 4.2.7. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin's settings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2601 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46343 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in X.Org. This security flaw occurs because the handler for the ScreenSaverSetAttributes request may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47411 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. Data about subscribers may be obtained via unsubscribeAction operations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47408 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the fp_newsletter (aka Newsletter subscriber management) extension before 1.1.1, 1.2.0, 2.x before 2.1.2, 2.2.1 through 2.4.0, and 3.x before 3.2.6 for TYPO3. There is a CAPTCHA bypass that can lead to subscribing many people.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47406 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3106 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel through 5.16-rc6. ef100_update_stats in drivers/net/ethernet/sfc/ef100_nic.c lacks check of the return value of kmalloc().π Read
via "National Vulnerability Database".
βΌ CVE-2022-3107 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel through 5.16-rc6. netvsc_get_ethtool_stats in drivers/net/hyperv/netvsc_drv.c lacks check of the return value of kvmalloc_array() and will cause the null pointer dereference.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4283 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.π Read
via "National Vulnerability Database".