βΌ CVE-2022-33324 βΌ
π Read
via "National Vulnerability Database".
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions "32" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "65" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU all versions, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V all versions, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU all versions and Mitsubishi Electric Corporation MELIPC Series MI5122-VW all versions allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. A system reset of the module is required for recovery.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46492 βΌ
π Read
via "National Vulnerability Database".
nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32692 βΌ
π Read
via "National Vulnerability Database".
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4665 βΌ
π Read
via "National Vulnerability Database".
Unrestricted Upload of File with Dangerous Type in GitHub repository ampache/ampache prior to 5.5.6.π Read
via "National Vulnerability Database".
ποΈ Finding the next Log4j β OpenSSFβs Brian Behlendorf on pivoting to a βrisk-centred viewβ of open source development ποΈ
π Read
via "The Daily Swig".
Apache pioneer says βuse at your own riskβ model no longer tenable as OpenSSF ramps up end user engagementπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
βΌ CVE-2022-4689 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4684 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4683 βΌ
π Read
via "National Vulnerability Database".
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4686 βΌ
π Read
via "National Vulnerability Database".
Improper Authentication in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4687 βΌ
π Read
via "National Vulnerability Database".
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4685 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4688 βΌ
π Read
via "National Vulnerability Database".
Improper Authorization in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4690 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.π Read
via "National Vulnerability Database".
π GRAudit Grep Auditing Tool 3.5 π
π Read
via "Packet Storm Security".
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility, grep. It's comparable to other static analysis applications like RATS, SWAAT, and flaw-finder while keeping the technical requirements to a minimum and being very flexible.π Read
via "Packet Storm Security".
Packetstormsecurity
GRAudit Grep Auditing Tool 3.5 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2022-47524 βΌ
π Read
via "National Vulnerability Database".
F-Secure SAFE Browser 19.1 before 19.2 for Android allows an IDN homograph attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46171 βΌ
π Read
via "National Vulnerability Database".
Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As `**` allows for sub directories the behavior there is also as expected. The issue has been patched in the latest release and was backported into the currently supported 1.x branches. There are no known workarounds at the time of publication.π Read
via "National Vulnerability Database".
π΄ Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion π΄
π Read
via "Dark Reading".
To stay safer, restrict access to data, monitor for breaches in the supply chain, track relevant data that is sold on the Dark Web, and implement best safety practices.π Read
via "Dark Reading".
Dark Reading
Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion
To stay safer, restrict access to data, monitor for breaches in the supply chain, track relevant data that is sold on the Dark Web, and implement best safety practices.
π΄ Google: With Cloud Comes APIs & Security Headaches π΄
π Read
via "Dark Reading".
APIs are key to cloud transformation, but two Google surveys find that cyberattacks targeting them are reaching a tipping point, even as general cloud security issues abound.π Read
via "Dark Reading".
Dark Reading
Google: With Cloud Comes APIs & Security Headaches
APIs are key to cloud transformation, but two Google surveys find that cyberattacks targeting them are reaching a tipping point, even as general cloud security issues abound.
π2
βΌ CVE-2022-47941 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-43551 βΌ
π Read
via "National Vulnerability Database".
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-4698 βΌ
π Read
via "National Vulnerability Database".
The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.π Read
via "National Vulnerability Database".