βΌ CVE-2022-28229 βΌ
π Read
via "National Vulnerability Database".
The hash functionality in userver before 42059b6319661583b3080cab9b595d4f8ac48128 allows attackers to cause a denial of service via crafted HTTP request, involving collisions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47946 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47945 βΌ
π Read
via "National Vulnerability Database".
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23854 βΌ
π Read
via "National Vulnerability Database".
AVEVA InTouch Access Anywhere versions 2020 R2 and older are vulnerable to a path traversal exploit that could allow an unauthenticated user with network access to read files on the system outside of the secure gateway web server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47633 βΌ
π Read
via "National Vulnerability Database".
An image signature validation bypass vulnerability in Kyverno 1.8.3 and 1.8.4 allows a malicious image registry (or a man-in-the-middle attacker) to inject unsigned arbitrary container images into a protected Kubernetes cluster. This is fixed in 1.8.5. This has been fixed in 1.8.5 and mitigations are available for impacted releases.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38658 βΌ
π Read
via "National Vulnerability Database".
BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40011 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in typora through 1.38 allows remote attackers to run arbitrary code via export from editor.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22449 βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Governance, Identity Manager 10.01 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 224915.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45798 βΌ
π Read
via "National Vulnerability Database".
A link following vulnerability in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service could allow a local attacker to escalate privileges by creating a symbolic link and abusing the service to delete a file. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43860 βΌ
π Read
via "National Vulnerability Database".
IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to obtain sensitive information they are authorized to but not while using this interface. By performing an SQL injection an attacker could see user profile attributes through this interface. IBM X-Force ID: 239305.π Read
via "National Vulnerability Database".
π’ The Guardian newspaper believes "IT incident" caused by ransomware π’
π Read
via "ITPro".
It's the second case of a major Western media organisation being targeted by a cyber attack this yearπ Read
via "ITPro".
ITPro
The Guardian newspaper believes "IT incident" caused by ransomware
It's the second case of a major Western media organisation being targeted by a cyber attack this year
π’ Windows 10 users encounter βblue screen of deathβ after latest Patch Tuesday update π’
π Read
via "ITPro".
Microsoft said it is working on a fix for the issue and has offered users a temporary workaroundπ Read
via "ITPro".
ITPro
Windows 10 users encounter βblue screen of deathβ after latest Patch Tuesday update
Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
π’ The IT Pro Podcast: The 2022 that didn't happen π’
π Read
via "ITPro".
Some of the biggest predictions for this year didn't come to passπ Read
via "ITPro".
ITPro
The IT Pro Podcast: The 2022 that didn't happen
Some of the biggest predictions for this year didn't come to pass
π’ LastPass customer password vaults stolen, targeted phishing attacks likely π’
π Read
via "ITPro".
The latest fallout from the password manager's August security nightmare will probably see attackers deploying sophisticated methods to acquire decryption informationπ Read
via "ITPro".
ITPro
LastPass customer password vaults stolen, targeted phishing attacks likely
The latest fallout from the password manager's August security nightmare will probably see attackers deploying sophisticated methods to acquire decryption information
π’ Podcast transcript: The 2022 that didn't happen π’
π Read
via "ITPro".
Read the full transcript for this episode of the IT Pro Podcastπ Read
via "ITPro".
ITPro
Podcast transcript: The 2022 that didn't happen
Read the full transcript for this episode of the IT Pro Podcast
π’ Linux fixes maximum-severity kernel vulnerability π’
π Read
via "ITPro".
Most businesses running SMB servers are believed to be shielded but one expert likened potential exploits to Heartbleedπ Read
via "ITPro".
ITPro
Linux fixes maximum-severity kernel vulnerability
Most businesses running SMB servers are believed to be shielded but one expert likened potential exploits to Heartbleed
π’ The scariest cyber security horror stories of 2022 π’
π Read
via "ITPro".
Lapsus$ group, Log4Shell, new Microsoft Exchange vulnerabilities, and the Russia-Ukraine war dominated cyber security headlines in 2022π Read
via "ITPro".
ITPro
The scariest cyber security horror stories of 2022
Lapsus$ group, Log4Shell, new Microsoft Exchange vulnerabilities, and the Russia-Ukraine war dominated cyber security headlines in 2022
π1
βΌ CVE-2022-46175 βΌ
π Read
via "National Vulnerability Database".
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47933 βΌ
π Read
via "National Vulnerability Database".
Brave Browser before 1.42.51 allowed a remote attacker to cause a denial of service via a crafted HTML file that references the IPFS scheme. This vulnerability is caused by an uncaught exception in the function ipfs::OnBeforeURLRequest_IPFSRedirectWork() in ipfs_redirect_network_delegate_helper.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47934 βΌ
π Read
via "National Vulnerability Database".
Brave Browser before 1.43.88 allowed a remote attacker to cause a denial of service in private and guest windows via a crafted HTML file that mentions an ipfs:// or ipns:// URL. This is caused by an incomplete fix for CVE-2022-47932 and CVE-2022-47934.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47932 βΌ
π Read
via "National Vulnerability Database".
Brave Browser before 1.43.34 allowed a remote attacker to cause a denial of service via a crafted HTML file that mentions an ipfs:// or ipns:// URL. This vulnerability is caused by an incomplete fix for CVE-2022-47933.π Read
via "National Vulnerability Database".