🛡 Cybersecurity & Privacy 🛡 - News
@cibsecurity
25.8K subscribers
89.2K links
🗞 The finest daily news on cybersecurity and privacy.

🔔 Daily releases.

💻 Is your online life secure?

📩 lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
🛡 Cybersecurity & Privacy 🛡 - News
25.8K subscribers
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-45789

A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxureâ„¢ Control Expert (All Versions), EcoStruxureâ„¢ Process Expert (Version V2020 & prior), Modicon M340 CPU (part numbers BMXP34*) (All Versions), Modicon M580 CPU (part numbers BMEP* and BMEH*) (All Versions), Modicon M580 CPU Safety (part numbers BMEP58*S and BMEH58*S) (All Versions)

📖 Read

via "National Vulnerability Database".
379 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-39059

ChangingTech MegaServiSignAdapter component has a path traversal vulnerability within its file reading function. An unauthenticated remote attacker can exploit this vulnerability to access arbitrary system files.

📖 Read

via "National Vulnerability Database".
433 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2023-24829

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 of iotdb-web-workbench onwards.

📖 Read

via "National Vulnerability Database".
515 views
🛡 Cybersecurity & Privacy 🛡 - News
🛠 Suricata IDPE 6.0.10 🛠

Suricata is a network intrusion detection and prevention engine developed by the Open Information Security Foundation and its supporting vendors. The engine is multi-threaded and has native IPv6 support. It's capable of loading existing Snort rules and signatures and supports the Barnyard and Barnyard2 tools.

📖 Read

via "Packet Storm Security".
Packetstormsecurity
Suricata IDPE 6.0.10 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
466 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47698

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS) via the URL filtering feature in the router.

📖 Read

via "National Vulnerability Database".
438 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47854

i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php.

📖 Read

via "National Vulnerability Database".
363 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47701

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Cross Site Scripting (XSS).

📖 Read

via "National Vulnerability Database".
327 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47700

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Incorrect Access Control. Improper authentication allows requests to be made to back-end scripts without a valid session or authentication.

📖 Read

via "National Vulnerability Database".
289 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47699

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 is vulnerable to Incorrect Access Control.

📖 Read

via "National Vulnerability Database".
286 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2023-22611

A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause information disclosure when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxureâ„¢ Geo SCADA Expert 2019, EcoStruxureâ„¢ Geo SCADA Expert 2020, EcoStruxureâ„¢ Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).

📖 Read

via "National Vulnerability Database".
303 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47697

COMFAST (Shenzhen Sihai Zhonglian Network Technology Co., Ltd) CF-WR623N Router firmware V2.3.0.1 and before is vulnerable to Account takeover. Anyone can reset the password of the admin accounts.

📖 Read

via "National Vulnerability Database".
316 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-45172

An issue was discovered in LIVEBOX Collaboration vDesk before v018. Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system.

📖 Read

via "National Vulnerability Database".
👍1
367 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2023-22610

A CWE-285: Improper Authorization vulnerability exists that could cause Denial of Service against the Geo SCADA server when specific messages are sent to the server over the database server TCP port. Affected Products: EcoStruxureâ„¢ Geo SCADA Expert 2019, EcoStruxureâ„¢ Geo SCADA Expert 2020, EcoStruxureâ„¢ Geo SCADA Expert 2021 (All versions prior to October 2022), ClearSCADA (All Versions).

📖 Read

via "National Vulnerability Database".
400 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-45494

Buffer overflow vulnerability in function json_parse_object in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

📖 Read

via "National Vulnerability Database".
376 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-37708

Docker version 20.10.15, build fd82621 is vulnerable to Insecure Permissions. Unauthorized users outside the Docker container can access any files within the Docker container.

📖 Read

via "National Vulnerability Database".
1
415 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-32984

BTCPay Server 1.3.0 through 1.5.3 allows a remote attacker to obtain sensitive information when a public Point of Sale app is exposed. The sensitive information, found in the HTML source code, includes the xpub of the store. Also, if the store isn't using the internal lightning node, the credentials of a lightning node are exposed.

📖 Read

via "National Vulnerability Database".
427 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-45297

EQ v1.5.31 to v2.2.0 was discovered to contain a SQL injection vulnerability via the UserPwd parameter.

📖 Read

via "National Vulnerability Database".
👍1
417 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2023-0454

OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path.

📖 Read

via "National Vulnerability Database".
354 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-42972

A CWE-732: Incorrect Permission Assignment for Critical Resource vulnerability exists that could cause local privilege escalation when a local attacker modifies the webroot directory. Affected Products: APC Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GA), APC Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GA-01-22261), Schneider Electric Easy UPS Online Monitoring Software (Windows 7, 10, 11 & Windows Server 2016, 2019, 2022 - Versions prior to V2.5-GS), Schneider Electric Easy UPS Online Monitoring Software (Windows 11, Windows Server 2019, 2022 - Versions prior to V2.5-GS-01-22261)

📖 Read

via "National Vulnerability Database".
337 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2023-23928

reason-jose is a JOSE implementation in ReasonML and OCaml.`Jose.Jws.validate` does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass. Applications relying on JWS claims assertion to enforce security boundaries may be vulnerable to privilege escalation. This issue has been patched in version 0.8.2.

📖 Read

via "National Vulnerability Database".
230 views
🛡 Cybersecurity & Privacy 🛡 - News
CVE-2022-47770

Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.

📖 Read

via "National Vulnerability Database".
211 views