βΌ CVE-2020-36625 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
ποΈ Zoom Whiteboard patches XSS bug ποΈ
π Read
via "The Daily Swig".
Video conferencing platform fixes cross-site scripting vulnerabilityπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Zoom Whiteboard patches XSS bug
Video conferencing platform fixes cross-site scripting vulnerability
βΌ CVE-2022-47895 βΌ
π Read
via "National Vulnerability Database".
In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47896 βΌ
π Read
via "National Vulnerability Database".
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45347 βΌ
π Read
via "National Vulnerability Database".
Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.π Read
via "National Vulnerability Database".
π΄ Threat Modeling in the Age of OpenAI's Chatbot π΄
π Read
via "Dark Reading".
New technical chatbot capabilities raise the promise that their help in threat modeling could free humans for more interesting work.π Read
via "Dark Reading".
Dark Reading
Threat Modeling in the Age of OpenAI's Chatbot
New technical chatbot capabilities raise the promise that their help in threat modeling could free humans for more interesting work.
π΄ Google WordPress Plug-in Bug Allows AWS Metadata Theft π΄
π Read
via "Dark Reading".
A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.π Read
via "Dark Reading".
Dark Reading
Google WordPress Plug-in Bug Allows AWS Metadata Theft
A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.
π΄ Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal π΄
π Read
via "Dark Reading".
Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.π Read
via "Dark Reading".
Dark Reading
Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal
Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.
π΄ Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc. π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.
SAN FRANCISCO, Dec. 22, 2022 /PRNewswire/ -- The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authenticationβ¦
ποΈ Lean, green coding machine: How sustainable computing drive can reduce attack surfaces ποΈ
π Read
via "The Daily Swig".
Less is often more when it comes to both infosec and eco-friendly computing practicesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Lean, green coding machine: How sustainable computing drive can reduce attack surfaces
Less is often more when it comes to both infosec and eco-friendly computing practices
βΌ CVE-2022-45966 βΌ
π Read
via "National Vulnerability Database".
here is an arbitrary file upload vulnerability in the file management function module of Classcms3.5.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4516 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
β βSuspicious loginβ scammers up their game β take care at Christmas β
π Read
via "Naked Security".
A picture is worth 1024 words - we clicked through so you don't have to.π Read
via "Naked Security".
Naked Security
βSuspicious loginβ scammers up their game β take care at Christmas
A picture is worth 1024 words β we clicked through so you donβt have to.
β S3 Ep114: Preventing cyberthreats β stop them before they stop you! [Audio + Text] β
π Read
via "Naked Security".
Join world-renowned expert Fraser Howard, Director of Research at SophosLabs, for this fascinating episode on how to fight cybercrime.π Read
via "Naked Security".
Naked Security
S3 Ep114: Preventing cyberthreats β stop them before they stop you! [Audio + Text]
Join world-renowned expert Fraser Howard, Director of Research at SophosLabs, for this fascinating episode on how to fight cybercrime.
π1
βΌ CVE-2022-46101 βΌ
π Read
via "National Vulnerability Database".
AyaCMS v3.1.2 was found to have a code flaw in the ust_sql.inc.php file, which allows attackers to cause command execution by inserting malicious code.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44510 βΌ
π Read
via "National Vulnerability Database".
Adobe Experience Manager version 6.5.14 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23541 βΌ
π Read
via "National Vulnerability Database".
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-46102 βΌ
π Read
via "National Vulnerability Database".
AyaCMS 3.1.2 is vulnerable to Arbitrary file upload via /aya/module/admin/fst_down.inc.phpπ Read
via "National Vulnerability Database".
βΌ CVE-2022-47926 βΌ
π Read
via "National Vulnerability Database".
AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.phpπ Read
via "National Vulnerability Database".
βΌ CVE-2022-28282 βΌ
π Read
via "National Vulnerability Database".
By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45411 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbird has applied the same mitigations to the use of this and similar headers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.π Read
via "National Vulnerability Database".