βΌ CVE-2022-47931 βΌ
π Read
via "National Vulnerability Database".
IO FinNet tss-lib before 2.0.0 allows a collision of hash values.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40897 βΌ
π Read
via "National Vulnerability Database".
An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and earlier allows remote attackers to cause a denial of service via crafted HTML package or custom PackageIndex page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40899 βΌ
π Read
via "National Vulnerability Database".
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46493 βΌ
π Read
via "National Vulnerability Database".
Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23513 βΌ
π Read
via "National Vulnerability Database".
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46491 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Request Forgery (CSRF) vulnerability in the Add Administrator function of the default version of nbnbk allows attackers to arbitrarily add Administrator accounts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47928 βΌ
π Read
via "National Vulnerability Database".
In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23539 βΌ
π Read
via "National Vulnerability Database".
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, youΓ’β¬β’ll need to set the `allowInvalidAsymmetricKeyTypes` option to `true` in the `sign()` and/or `verify()` functions.π Read
via "National Vulnerability Database".
π’ Apple issues patch for macOS security bypass vulnerability π’
π Read
via "ITPro".
The Achilles vulnerability enabled malware to slip past Appleβs Gatekeeper security checksπ Read
via "ITPro".
ITPro
Apple issues patch for macOS security bypass vulnerability
The Achilles vulnerability enabled malware to slip past Appleβs Gatekeeper security checks
π’ IRS mistakenly publishes 112,000 taxpayer records for the second time π’
π Read
via "ITPro".
A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accentureπ Read
via "ITPro".
IT Pro
IRS mistakenly publishes 112,000 taxpayer records for the second time
A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
βΌ CVE-2022-33324 βΌ
π Read
via "National Vulnerability Database".
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions "32" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "65" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU all versions, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V all versions, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU all versions and Mitsubishi Electric Corporation MELIPC Series MI5122-VW all versions allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. A system reset of the module is required for recovery.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46492 βΌ
π Read
via "National Vulnerability Database".
nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32692 βΌ
π Read
via "National Vulnerability Database".
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4665 βΌ
π Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.π Read
via "National Vulnerability Database".
ποΈ Finding the next Log4j β OpenSSFβs Brian Behlendorf on pivoting to a βrisk-centred viewβ of open source development ποΈ
π Read
via "The Daily Swig".
Apache pioneer says βuse at your own riskβ model no longer tenable as OpenSSF ramps up end user engagementπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
βΌ CVE-2022-4689 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4684 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4683 βΌ
π Read
via "National Vulnerability Database".
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4686 βΌ
π Read
via "National Vulnerability Database".
Improper Authentication in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4687 βΌ
π Read
via "National Vulnerability Database".
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4685 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".