βΌ CVE-2022-4523 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in vexim2. This issue affects some unknown processing. The manipulation leads to cross site scripting. The attack may be initiated remotely. The name of the patch is 21c0a60d12e9d587f905cd084b2c70f9b1592065. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215903.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4521 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.7. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.8.12 is able to address this issue. The name of the patch is 9f967abfde9317bee2cda469dbc09b57d539f2cc. It is recommended to upgrade the affected component. The identifier VDB-215901 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4526 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in django-photologue up to 3.15.1 and classified as problematic. Affected by this issue is some unknown functionality of the file photologue/templates/photologue/photo_detail.html of the component Default Template Handler. The manipulation of the argument object.caption leads to cross site scripting. The attack may be launched remotely. Upgrading to version 3.16 is able to address this issue. The name of the patch is 960cb060ce5e2964e6d716ff787c72fc18a371e7. It is recommended to apply a patch to fix this issue. VDB-215906 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4520 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in WSO2 carbon-registry up to 4.8.11. It has been rated as problematic. Affected by this issue is some unknown functionality of the file components/registry/org.wso2.carbon.registry.search.ui/src/main/resources/web/search/advancedSearchForm-ajaxprocessor.jsp of the component Advanced Search. The manipulation of the argument mediaType/rightOp/leftOp/rightPropertyValue/leftPropertyValue leads to cross site scripting. The attack may be launched remotely. Upgrading to version 4.8.12 is able to address this issue. The name of the patch is 0c827cc1b14b82d8eb86117ab2e43c34bb91ddb4. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215900.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4525 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in National Sleep Research Resource sleepdata.org up to 59.0.0.rc and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 59.0.0 is able to address this issue. The name of the patch is da44a3893b407087829b006d09339780919714cd. It is recommended to upgrade the affected component. The identifier VDB-215905 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
π΄ Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe π΄
π Read
via "Dark Reading".
Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.π Read
via "Dark Reading".
Dark Reading
Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe
Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.
π Faraday 4.3.1 π
π Read
via "Packet Storm Security".
Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.π Read
via "Packet Storm Security".
Packetstormsecurity
Faraday 4.3.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π΄ Compliance Is Not Enough: How to Manage Your Customer Data π΄
π Read
via "Dark Reading".
Effective customer data management helps companies avoid data breaches and the resulting cascade of issues. From validating "clean" data to centralized storage and a data governance strategy, management steps can help keep data safe.π Read
via "Dark Reading".
Dark Reading
Compliance Is Not Enough: How to Manage Your Customer Data
Effective customer data management helps companies avoid data breaches and the resulting cascade of issues. From validating "clean" data to centralized storage and a data governance strategy, management steps can help keep data safe.
βΌ CVE-2022-41961 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41963 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1π Read
via "National Vulnerability Database".
βΌ CVE-2022-36223 βΌ
π Read
via "National Vulnerability Database".
In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41962 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46870 βΌ
π Read
via "National Vulnerability Database".
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.π Read
via "National Vulnerability Database".
βΌ CVE-2021-28655 βΌ
π Read
via "National Vulnerability Database".
The improper Input Validation vulnerability in "Γ’β¬οΏ½Move folder to TrashΓ’β¬οΏ½ feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4555 βΌ
π Read
via "National Vulnerability Database".
The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate() function hooked via init() in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site. This can be used to deactivate security plugins that aids in exploiting other vulnerabilities.π Read
via "National Vulnerability Database".
β S3 Ep113: Pwning the Windows kernel β the crooks who hoodwinked Microsoft [Audio + Text] β
π Read
via "Naked Security".
Return o' the rookit, super-sneaky wireless spyware, credit card skimming, and patches galore. Listen and learn!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Chinese APT Group MirrorFace Interferes in Japanese Elections π΄
π Read
via "Dark Reading".
The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.π Read
via "Dark Reading".
Dark Reading
Chinese APT Group MirrorFace Interferes in Japanese Elections
The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.
π΄ Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping π΄
π Read
via "Dark Reading".
The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.π Read
via "Dark Reading".
Dark Reading
Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping
The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.
βΌ CVE-2022-20560 βΌ
π Read
via "National Vulnerability Database".
Product: AndroidVersions: Android kernelAndroid ID: A-212623833References: N/Aπ Read
via "National Vulnerability Database".
βΌ CVE-2022-20531 βΌ
π Read
via "National Vulnerability Database".
In placeCall of TelecomManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-231988638π Read
via "National Vulnerability Database".
βΌ CVE-2022-20506 βΌ
π Read
via "National Vulnerability Database".
In onCreate of WifiDialogActivity.java, there is a missing permission check. This could lead to local escalation of privilege from a guest user with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-226133034π Read
via "National Vulnerability Database".