βΌ CVE-2022-44469 βΌ
π Read
via "National Vulnerability Database".
Adobe Experience Manager version 6.5.14 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.π Read
via "National Vulnerability Database".
ποΈ Deserialized web security roundup β Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat ποΈ
π Read
via "The Daily Swig".
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity newsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Deserialized web security roundup β Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
π΄ Organizations Unprepared for Upcoming Data Privacy Regulations π΄
π Read
via "Dark Reading".
A comprehensive data privacy program requires involvement from all parts of the business that deal with personal data.π Read
via "Dark Reading".
Dark Reading
Organizations Unprepared for Upcoming Data Privacy Regulations
A comprehensive data privacy program requires involvement from all parts of the business that deal with personal data.
π΄ With SASE Definition Still Cloudy, Forum Proposes Standard π΄
π Read
via "Dark Reading".
Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.π Read
via "Dark Reading".
Dark Reading
With SASE Definition Still Cloudy, Forum Proposes Standard
Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.
βΌ CVE-2022-4561 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in SemanticDrilldown Extension. Affected is the function printFilterLine of the file includes/specials/SDBrowseDataPage.php of the component GET Parameter Handler. The manipulation of the argument value leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is 6e18cf740a4548166c1d95f6d3a28541d298a3aa. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215964.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4559 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in INEX IPX-Manager up to 6.2.0. It has been declared as problematic. This vulnerability affects unknown code of the file resources/views/customer/list.foil.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 6.3.0 is able to address this issue. The name of the patch is bc9b14c6f70cccdb89b559e8bc3a7318bfe9c243. It is recommended to upgrade the affected component. VDB-215962 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41972 βΌ
π Read
via "National Vulnerability Database".
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 contain a NULL Pointer Dereference in BLE L2CAP module. The Contiki-NG operating system for IoT devices contains a Bluetooth Low Energy stack. An attacker can inject a packet in this stack, which causes the implementation to dereference a NULL pointer and triggers undefined behavior. More specifically, while processing the L2CAP protocol, the implementation maps an incoming channel ID to its metadata structure. In this structure, state information regarding credits is managed through calls to the function input_l2cap_credit in the module os/net/mac/ble/ble-l2cap.c. Unfortunately, the input_l2cap_credit function does not check that the metadata corresponding to the user-supplied channel ID actually exists, which can lead to the channel variable being set to NULL before a pointer dereferencing operation is performed. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9. Users can apply the patch in Contiki-NG pull request #2253 as a workaround until the new package is released.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4558 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Alinto SOGo up to 5.7.1. It has been classified as problematic. This affects an unknown part of the file SoObjects/SOGo/NSString+Utilities.m of the component Folder/Mail Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is 1e0f5f00890f751e84d67be4f139dd7f00faa5f3. It is recommended to upgrade the affected component. The identifier VDB-215961 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4564 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in University of Central Florida Materia up to 9.0.1-alpha1. This affects the function before of the file fuel/app/classes/controller/api.php of the component API Controller. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 9.0.2-alpha2 is able to address this issue. The name of the patch is af259115d2e8f17068e61902151ee8a9dbac397b. It is recommended to upgrade the affected component. The identifier VDB-215973 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41964 βΌ
π Read
via "National Vulnerability Database".
BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41992 βΌ
π Read
via "National Vulnerability Database".
A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4556 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Alinto SOGo up to 5.7.1 and classified as problematic. Affected by this issue is the function _migrateMailIdentities of the file SoObjects/SOGo/SOGoUserDefaults.m of the component Identity Handler. The manipulation of the argument fullName leads to cross site scripting. The attack may be launched remotely. Upgrading to version 5.8.0 is able to address this issue. The name of the patch is efac49ae91a4a325df9931e78e543f707a0f8e5e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215960.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4563 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is b0526a06f8ca713cce74b63e00d3730618d89691. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215972.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4560 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Joget up to 7.0.32. It has been rated as problematic. This issue affects the function getInternalJsCssLib of the file wflow-core/src/main/java/org/joget/plugin/enterprise/UniversalTheme.java of the component wflow-core. The manipulation of the argument key leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 8.0-BETA is able to address this issue. The name of the patch is ecf8be8f6f0cb725c18536ddc726d42a11bdaa1b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-215963.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46109 βΌ
π Read
via "National Vulnerability Database".
Tenda AC15 V15.03.06.23 is vulnerable to Buffer Overflow via function formSetClientState.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4565 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in Dromara HuTool up to 5.8.10. This vulnerability affects unknown code of the file cn.hutool.core.util.ZipUtil.java. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.8.11 is able to address this issue. It is recommended to upgrade the affected component. VDB-215974 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2966 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Read vulnerability in Delta Electronics DOPSoft.This issue affects DOPSoft: All Versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47209 βΌ
π Read
via "National Vulnerability Database".
A support user exists on the device and appears to be a backdoor for Technical Support staff. The default password for this account is Γ’β¬ΕsupportΓ’β¬οΏ½ and cannot be changed by a user via any normally accessible means.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47210 βΌ
π Read
via "National Vulnerability Database".
The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3166 βΌ
π Read
via "National Vulnerability Database".
Rockwell Automation was made aware that the webservers of the Micrologix 1100 and 1400 controllers contain a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the deviceπ Read
via "National Vulnerability Database".
βΌ CVE-2022-47208 βΌ
π Read
via "National Vulnerability Database".
The Γ’β¬ΕpuhttpsniffΓ’β¬οΏ½ service, which runs by default, is susceptible to command injection due to improperly sanitized user input. An unauthenticated attacker on the same network segment as the router can execute arbitrary commands on the device without authentication.π Read
via "National Vulnerability Database".