♟️ Microsoft Patch Tuesday, January 2023 Edition ♟️
📖 Read
via "Krebs on Security".
Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.📖 Read
via "Krebs on Security".
Krebs on Security
Microsoft Patch Tuesday, January 2023 Edition
Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S.…
⚠ Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches ⚠
📖 Read
via "Naked Security".
Get 'em while they're hot. And get 'em for the very last time, if you still have Windows 7 or 8.1...📖 Read
via "Naked Security".
‼ CVE-2022-48252 ‼
📖 Read
via "National Vulnerability Database".
The jokob-sk/Pi.Alert fork (before 22.12.20) of Pi.Alert allows Remote Code Execution via nmap_scan.php (scan parameter) OS Command Injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43391 ‼
📖 Read
via "National Vulnerability Database".
A buffer overflow vulnerability in the parameter of the CGI program in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to cause denial-of-service (DoS) conditions by sending a crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43393 ‼
📖 Read
via "National Vulnerability Database".
An improper check for unusual or exceptional conditions in the HTTP request processing function of Zyxel GS1920-24v2 firmware prior to V4.70(ABMH.8)C0, which could allow an unauthenticated attacker to corrupt the contents of the memory and result in a denial-of-service (DoS) condition on a vulnerable device.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43392 ‼
📖 Read
via "National Vulnerability Database".
A buffer overflow vulnerability in the parameter of web server in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to cause denial-of-service (DoS) conditions by sending a crafted authorization request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0553 ‼
📖 Read
via "National Vulnerability Database".
There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted firmware can be retrieved easily.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3966 ‼
📖 Read
via "National Vulnerability Database".
usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22947 ‼
📖 Read
via "National Vulnerability Database".
** DISPUTED ** Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake."📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43390 ‼
📖 Read
via "National Vulnerability Database".
A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22959 ‼
📖 Read
via "National Vulnerability Database".
WebChess through 0.9.0 and 1.0.0.rc2 allows SQL injection: mainmenu.php, chess.php, and opponentspassword.php (txtFirstName, txtLastName).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-43389 ‼
📖 Read
via "National Vulnerability Database".
A buffer overflow vulnerability in the library of the web server in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22945 ‼
📖 Read
via "National Vulnerability Database".
In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-48253 ‼
📖 Read
via "National Vulnerability Database".
nhttpd in Nostromo before 2.1 is vulnerable to a path traversal that may allow an attacker to execute arbitrary commands on the remote server. The vulnerability occurs when the homedirs option is used.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22958 ‼
📖 Read
via "National Vulnerability Database".
The Syracom Secure Login plugin before 3.1.1.0 for Jira may allow spoofing of 2FA PIN validation via the plugins/servlet/twofactor/public/pinvalidation target parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-47866 ‼
📖 Read
via "National Vulnerability Database".
Lead management system v1.0 is vulnerable to SQL Injection via the id parameter in removeBrand.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2018-25073 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been found in Newcomer1989 TSN-Ranksystem up to 1.2.6 and classified as problematic. This vulnerability affects the function getlog of the file webinterface/bot.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.2.7 is able to address this issue. The name of the patch is b3a3cd8efe2cd3bd3c5b3b7abf2fe80dbee51b77. It is recommended to upgrade the affected component. VDB-218002 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42967 ‼
📖 Read
via "National Vulnerability Database".
Caret is vulnerable to an XSS attack when the user opens a crafted Markdown file when preview mode is enabled. This directly leads to client-side code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-47865 ‼
📖 Read
via "National Vulnerability Database".
Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeOrder.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4696 ‼
📖 Read
via "National Vulnerability Database".
There exists a use-after-free vulnerability in the Linux kernel through io_uring and the IORING_OP_SPLICE operation. If IORING_OP_SPLICE is missing the IO_WQ_WORK_FILES flag, which signals that the operation won't use current->nsproxy, so its reference counter is not increased. This assumption is not always true as calling io_splice on specific files will call the get_uts function which will use current->nsproxy leading to invalidly decreasing its reference counter later causing the use-after-free vulnerability. We recommend upgrading to version 5.10.160 or above📖 Read
via "National Vulnerability Database".
🕴 Infoblox Appoints Scott Harrell to CEO 🕴
📖 Read
via "Dark Reading".
Jesper Andersen has decided to retire and will continue to serve on the Board of Directors.📖 Read
via "Dark Reading".
Dark Reading
Infoblox Appoints Scott Harrell to CEO
Jesper Andersen has decided to retire and will continue to serve on the Board of Directors.