βΌ CVE-2022-4643 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in docconv up to 1.3.4. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.3.5 is able to address this issue. The name of the patch is b19021ade3d0b71c89d35cb00eb9e589a121faa5. It is recommended to upgrade the affected component. VDB-216502 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4275 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in katlings pyambic-pentameter. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 974f21aa1b2527ef39c8afe1a5060548217deca8. It is recommended to apply a patch to fix this issue. VDB-216498 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4641 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in pig-vector and classified as problematic. Affected by this issue is the function LogisticRegression of the file src/main/java/org/apache/mahout/pig/LogisticRegression.java. The manipulation leads to insecure temporary file. The attack needs to be approached locally. The name of the patch is 1e7bd9fab5401a2df18d2eabd802adcf0dcf1f15. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216500.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3185 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product exposes sensitive data concerning the device.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3186 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the deviceΓ’β¬β’s main management page from the cloud. This feature enables users to remotely connect devices, however, the current implementation permits users to access other device's information.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3184 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the deviceΓ’β¬β’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3188 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file includes the latest actions completed by specific users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3187 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the validity of a user. Attackers could leverage this lack of verification to read the state of outlets.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3183 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3189 βΌ
π Read
via "National Vulnerability Database".
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specially crafted PHP script could use parameters from a HTTP request to create a URL capable of changing the host parameter. The changed host parameter in the HTTP could point to another host that will send a request to the host or IP specified in the changed host parameter.π Read
via "National Vulnerability Database".
π cryptmount Filesystem Manager 6.1.1 π
π Read
via "Packet Storm Security".
cryptmount is a utility for creating and managing secure filing systems on GNU/Linux systems. After initial setup, it allows any user to mount or unmount filesystems on demand, solely by providing the decryption password, with any system devices needed to access the filing system being configured automatically. A wide variety of encryption schemes (provided by the kernel dm-crypt system and the libgcrypt library) can be used to protect both the filesystem and the access key. The protected filing systems can reside in either ordinary files or disk partitions. The package also supports encrypted swap partitions, and automatic configuration on system boot-up.π Read
via "Packet Storm Security".
Packetstormsecurity
cryptmount Filesystem Manager 6.1.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2022-41654 βΌ
π Read
via "National Vulnerability Database".
An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41697 βΌ
π Read
via "National Vulnerability Database".
A user enumeration vulnerability exists in the login functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send a series of HTTP requests to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36624 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in ahorner text-helpers 1.1.0/1.1.1. It has been declared as critical. This vulnerability affects unknown code of the file lib/text_helpers/translation.rb. The manipulation of the argument link leads to use of web link to untrusted target with window.opener access. The attack can be initiated remotely. Upgrading to version 1.2.0 is able to address this issue. The name of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216520.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36625 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
ποΈ Zoom Whiteboard patches XSS bug ποΈ
π Read
via "The Daily Swig".
Video conferencing platform fixes cross-site scripting vulnerabilityπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Zoom Whiteboard patches XSS bug
Video conferencing platform fixes cross-site scripting vulnerability
βΌ CVE-2022-47895 βΌ
π Read
via "National Vulnerability Database".
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47896 βΌ
π Read
via "National Vulnerability Database".
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45347 βΌ
π Read
via "National Vulnerability Database".
Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.π Read
via "National Vulnerability Database".
π΄ Threat Modeling in the Age of OpenAI's Chatbot π΄
π Read
via "Dark Reading".
New technical chatbot capabilities raise the promise that their help in threat modeling could free humans for more interesting work.π Read
via "Dark Reading".
Dark Reading
Threat Modeling in the Age of OpenAI's Chatbot
New technical chatbot capabilities raise the promise that their help in threat modeling could free humans for more interesting work.
π΄ Google WordPress Plug-in Bug Allows AWS Metadata Theft π΄
π Read
via "Dark Reading".
A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.π Read
via "Dark Reading".
Dark Reading
Google WordPress Plug-in Bug Allows AWS Metadata Theft
A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.