‼ CVE-2022-42411 ‼
📖 Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPC files. Crafted data in a JPC file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18306.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42415 ‼
📖 Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. Crafted data in a JP2 file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18366.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep119: Breaches, patches, leaks and tweaks! [Audio + Text] ⚠
📖 Read
via "Naked Security".
Lastest episode - listen now! (Or read the transcript.)📖 Read
via "Naked Security".
Naked Security
S3 Ep119: Breaches, patches, leaks and tweaks! [Audio + Text]
Lastest episode – listen now! (Or read the transcript.)
⚠ Dutch suspect locked up for alleged personal data megathefts ⚠
📖 Read
via "Naked Security".
Undercover Austrian "controlled data buy" leads to Amsterdam arrest and ongoing investigation. Suspect is said to steal and sell all sorts of data, including medical records.📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
‼ CVE-2022-25350 ‼
📖 Read
via "National Vulnerability Database".
All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22462 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Governance, Identity Manager virtual appliance component 10.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 225078.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40990 ‼
📖 Read
via "National Vulnerability Database".
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)' command template.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3478 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2023-20913 ‼
📖 Read
via "National Vulnerability Database".
In onCreate of PhoneAccountSettingsActivity.java and related files, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246933785📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41022 ‼
📖 Read
via "National Vulnerability Database".
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD' command template.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20215 ‼
📖 Read
via "National Vulnerability Database".
In onCreate of MasterClearConfirmFragment.java, there is a possible factory reset due to a tapjacking/overlay attack. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183794206📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40037 ‼
📖 Read
via "National Vulnerability Database".
An issue discovered in Rawchen blog-ssm v1.0 allows remote attacker to escalate privileges and execute arbitrary commands via the component /upFile.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-47073 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the Create Ticket page of Small CRM v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40173 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-20458 ‼
📖 Read
via "National Vulnerability Database".
The logs of sensitive information (PII) or hardware identifier should only be printed in Android "userdebug" or "eng" build. StatusBarNotification.getKey() could contain sensitive information. However, CarNotificationListener.java, it prints out the StatusBarNotification.getKey() directly in logs, which could contain user's account name (i.e. PII), in Android "user" build.Product: AndroidVersions: Android-12LAndroid ID: A-205567776📖 Read
via "National Vulnerability Database".
‼ CVE-2022-41002 ‼
📖 Read
via "National Vulnerability Database".
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)' command template.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3572 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3820 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25860 ‼
📖 Read
via "National Vulnerability Database".
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4054 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-40035 ‼
📖 Read
via "National Vulnerability Database".
File Upload Vulnerability found in Rawchen Blog-ssm v1.0 allowing attackers to execute arbitrary commands and gain escalated privileges via the /uploadFileList component.📖 Read
via "National Vulnerability Database".