πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
@cibsecurity
25.8K subscribers
89.2K links
πŸ—ž The finest daily news on cybersecurity and privacy.

πŸ”” Daily releases.

πŸ’» Is your online life secure?

πŸ“© lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
25.8K subscribers
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ Windows 10 users encounter β€˜blue screen of death’ after latest Patch Tuesday update πŸ“’

Microsoft said it is working on a fix for the issue and has offered users a temporary workaround

πŸ“– Read

via "ITPro".
ITPro
Windows 10 users encounter β€˜blue screen of death’ after latest Patch Tuesday update
Microsoft said it is working on a fix for the issue and has offered users a temporary workaround
261 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ The IT Pro Podcast: The 2022 that didn't happen πŸ“’

Some of the biggest predictions for this year didn't come to pass

πŸ“– Read

via "ITPro".
ITPro
The IT Pro Podcast: The 2022 that didn't happen
Some of the biggest predictions for this year didn't come to pass
249 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ LastPass customer password vaults stolen, targeted phishing attacks likely πŸ“’

The latest fallout from the password manager's August security nightmare will probably see attackers deploying sophisticated methods to acquire decryption information

πŸ“– Read

via "ITPro".
ITPro
LastPass customer password vaults stolen, targeted phishing attacks likely
The latest fallout from the password manager's August security nightmare will probably see attackers deploying sophisticated methods to acquire decryption information
317 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ Podcast transcript: The 2022 that didn't happen πŸ“’

Read the full transcript for this episode of the IT Pro Podcast

πŸ“– Read

via "ITPro".
ITPro
Podcast transcript: The 2022 that didn't happen
Read the full transcript for this episode of the IT Pro Podcast
351 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ Linux fixes maximum-severity kernel vulnerability πŸ“’

Most businesses running SMB servers are believed to be shielded but one expert likened potential exploits to Heartbleed

πŸ“– Read

via "ITPro".
ITPro
Linux fixes maximum-severity kernel vulnerability
Most businesses running SMB servers are believed to be shielded but one expert likened potential exploits to Heartbleed
462 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ“’ The scariest cyber security horror stories of 2022 πŸ“’

Lapsus$ group, Log4Shell, new Microsoft Exchange vulnerabilities, and the Russia-Ukraine war dominated cyber security headlines in 2022

πŸ“– Read

via "ITPro".
ITPro
The scariest cyber security horror stories of 2022
Lapsus$ group, Log4Shell, new Microsoft Exchange vulnerabilities, and the Russia-Ukraine war dominated cyber security headlines in 2022
πŸ‘1
578 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-46175 β€Ό

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.

πŸ“– Read

via "National Vulnerability Database".
664 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-47933 β€Ό

Brave Browser before 1.42.51 allowed a remote attacker to cause a denial of service via a crafted HTML file that references the IPFS scheme. This vulnerability is caused by an uncaught exception in the function ipfs::OnBeforeURLRequest_IPFSRedirectWork() in ipfs_redirect_network_delegate_helper.cc.

πŸ“– Read

via "National Vulnerability Database".
546 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-47934 β€Ό

Brave Browser before 1.43.88 allowed a remote attacker to cause a denial of service in private and guest windows via a crafted HTML file that mentions an ipfs:// or ipns:// URL. This is caused by an incomplete fix for CVE-2022-47932 and CVE-2022-47934.

πŸ“– Read

via "National Vulnerability Database".
572 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-47932 β€Ό

Brave Browser before 1.43.34 allowed a remote attacker to cause a denial of service via a crafted HTML file that mentions an ipfs:// or ipns:// URL. This vulnerability is caused by an incomplete fix for CVE-2022-47933.

πŸ“– Read

via "National Vulnerability Database".
531 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-47949 β€Ό

The Nintendo NetworkBuffer class, as used in Animal Crossing: New Horizons before 2.0.6 and other products, allows remote attackers to execute arbitrary code via a large UDP packet that causes a buffer overflow, aka ENLBufferPwn. The victim must join a game session with the attacker. Other affected products include Mario Kart 7 before 1.2, Mario Kart 8, Mario Kart 8 Deluxe before 2.1.0, ARMS before 5.4.1, Splatoon, Splatoon 2 before 5.5.1, Splatoon 3 before late 2022, Super Mario Maker 2 before 3.0.2, and Nintendo Switch Sports before late 2022.

πŸ“– Read

via "National Vulnerability Database".
471 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44640 β€Ό

Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).

πŸ“– Read

via "National Vulnerability Database".
405 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-45896 β€Ό

Planet eStream before 6.72.10.07 allows unauthenticated upload of arbitrary files: Choose a Video / Related Media or Upload Document. Upload2.ashx can be used, or Ajax.asmx/ProcessUpload2. This leads to remote code execution.

πŸ“– Read

via "National Vulnerability Database".
375 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44017 β€Ό

An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout.

πŸ“– Read

via "National Vulnerability Database".
310 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44016 β€Ό

An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can download arbitrary files from the web server by abusing an API call: /DS/LM_API/api/ConfigurationService/GetImages with an '"ImagesPath":"C:\\"' value.

πŸ“– Read

via "National Vulnerability Database".
255 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44013 β€Ό

An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can make various API calls without authentication because the password in a Credential Object is not checked.

πŸ“– Read

via "National Vulnerability Database".
240 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44380 β€Ό

Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.

πŸ“– Read

via "National Vulnerability Database".
232 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-45892 β€Ό

In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.

πŸ“– Read

via "National Vulnerability Database".
225 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44015 β€Ό

An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can inject raw SQL queries. By activating MSSQL features, the attacker is able to execute arbitrary commands on the MSSQL server via the xp_cmdshell extended procedure.

πŸ“– Read

via "National Vulnerability Database".
223 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-44381 β€Ό

Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.

πŸ“– Read

via "National Vulnerability Database".
221 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2022-42953 β€Ό

Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).

πŸ“– Read

via "National Vulnerability Database".
222 views