βΌ CVE-2022-38143 βΌ
π Read
via "National Vulnerability Database".
A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43599 βΌ
π Read
via "National Vulnerability Database".
Multiple code execution vulnerabilities exist in the IFFOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to a heap buffer overflow. An attacker can provide malicious input to trigger these vulnerabilities.This vulnerability arises when the `xmax` variable is set to 0xFFFF and `m_spec.format` is `TypeDesc::UINT8`π Read
via "National Vulnerability Database".
π΄ Security Is a Second-Class Citizen in High-Performance Computing π΄
π Read
via "Dark Reading".
Vendors and operators attempt to balance power and security, but right now, power is the highest goal.π Read
via "Dark Reading".
Dark Reading
Security Is a Second-Class Citizen in High-Performance Computing
Vendors and operators attempt to balance power and security, but right now, power is the highest goal.
βΌ CVE-2022-40898 βΌ
π Read
via "National Vulnerability Database".
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47931 βΌ
π Read
via "National Vulnerability Database".
IO FinNet tss-lib before 2.0.0 allows a collision of hash values.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40897 βΌ
π Read
via "National Vulnerability Database".
An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and earlier allows remote attackers to cause a denial of service via crafted HTML package or custom PackageIndex page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40899 βΌ
π Read
via "National Vulnerability Database".
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46493 βΌ
π Read
via "National Vulnerability Database".
Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23513 βΌ
π Read
via "National Vulnerability Database".
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46491 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Request Forgery (CSRF) vulnerability in the Add Administrator function of the default version of nbnbk allows attackers to arbitrarily add Administrator accounts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47928 βΌ
π Read
via "National Vulnerability Database".
In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23539 βΌ
π Read
via "National Vulnerability Database".
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, youΓ’β¬β’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.π Read
via "National Vulnerability Database".
π’ Apple issues patch for macOS security bypass vulnerability π’
π Read
via "ITPro".
The Achilles vulnerability enabled malware to slip past Appleβs Gatekeeper security checksπ Read
via "ITPro".
ITPro
Apple issues patch for macOS security bypass vulnerability
The Achilles vulnerability enabled malware to slip past Appleβs Gatekeeper security checks
π’ IRS mistakenly publishes 112,000 taxpayer records for the second time π’
π Read
via "ITPro".
A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accentureπ Read
via "ITPro".
IT Pro
IRS mistakenly publishes 112,000 taxpayer records for the second time
A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
βΌ CVE-2022-33324 βΌ
π Read
via "National Vulnerability Database".
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions "32" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "65" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU all versions, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V all versions, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU all versions and Mitsubishi Electric Corporation MELIPC Series MI5122-VW all versions allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. A system reset of the module is required for recovery.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46492 βΌ
π Read
via "National Vulnerability Database".
nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32692 βΌ
π Read
via "National Vulnerability Database".
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4665 βΌ
π Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.π Read
via "National Vulnerability Database".
ποΈ Finding the next Log4j β OpenSSFβs Brian Behlendorf on pivoting to a βrisk-centred viewβ of open source development ποΈ
π Read
via "The Daily Swig".
Apache pioneer says βuse at your own riskβ model no longer tenable as OpenSSF ramps up end user engagementπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
βΌ CVE-2022-4689 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4684 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".