βΌ CVE-2022-44940 βΌ
π Read
via "National Vulnerability Database".
Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43887 βΌ
π Read
via "National Vulnerability Database".
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40434 βΌ
π Read
via "National Vulnerability Database".
Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43883 βΌ
π Read
via "National Vulnerability Database".
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to a Log Injection attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local file system. IBM X-Force ID: 240266.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38708 βΌ
π Read
via "National Vulnerability Database".
IBM Cognos Analytics 11.1.7 11.2.0, and 11.2.1 could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local file system. IBM X-Force ID: 234180.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23543 βΌ
π Read
via "National Vulnerability Database".
Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.π Read
via "National Vulnerability Database".
βΌ CVE-2022-39160 βΌ
π Read
via "National Vulnerability Database".
IBM Cognos Analytics 11.2.1, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 235064.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46402 βΌ
π Read
via "National Vulnerability Database".
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) accepts PairCon_rmSend with incorrect values.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46401 βΌ
π Read
via "National Vulnerability Database".
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) accepts PauseEncReqPlainText before pairing is complete.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46403 βΌ
π Read
via "National Vulnerability Database".
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) mishandles reject messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44108 βΌ
π Read
via "National Vulnerability Database".
pdftojson commit 94204bb was discovered to contain a stack overflow via the component Object::copy(Object*):Object.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3752 βΌ
π Read
via "National Vulnerability Database".
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic load to cause a denial-of-service condition resulting in a denial-of-service condition. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46399 βΌ
π Read
via "National Vulnerability Database".
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) is unresponsive with ConReqTimeoutZero.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46400 βΌ
π Read
via "National Vulnerability Database".
The Microchip RN4870 module firmware 1.43 (and the Microchip PIC LightBlue Explorer Demo 4.2 DT100112) allows attackers to bypass passkey entry in legacy pairing.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47551 βΌ
π Read
via "National Vulnerability Database".
Apiman 1.5.7 through 2.2.3.Final has insufficient checks for read permissions within the Apiman Manager REST API. The root cause of the issue is the Apiman project's accidental acceptance of a large contribution that was not fully compatible with the security model of Apiman versions before 3.0.0.Final. Because of this, 3.0.0.Final is not affected by the vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44109 βΌ
π Read
via "National Vulnerability Database".
pdftojson commit 94204bb was discovered to contain a stack overflow via the component Stream::makeFilter(char*, Stream*, Object*, int).π Read
via "National Vulnerability Database".
βοΈ Hacked Ring Cams Used to Record Swatting Victims βοΈ
π Read
via "Krebs on Security".
Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then "swatting" them -- falsely reporting a violent incident at the target's address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets' homes, and to taunt authorities when they arrived.π Read
via "Krebs on Security".
Krebs on Security
Hacked Ring Cams Used to Record Swatting Victims
Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then "swatting" them -- falsely reporting a violent incident at the target's address to trick local police into responding withβ¦
π1
βΌ CVE-2022-25904 βΌ
π Read
via "National Vulnerability Database".
All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25171 βΌ
π Read
via "National Vulnerability Database".
The package p4 before 0.0.7 are vulnerable to Command Injection via the run() function due to improper input sanitizationπ Read
via "National Vulnerability Database".
βΌ CVE-2022-25940 βΌ
π Read
via "National Vulnerability Database".
All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47578 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system.π Read
via "National Vulnerability Database".