Early evidence seems to indicate a compromise of Microsoft Exchange servers in a reply chain attack campaignπ Read
via "ITPro".
π‘ Cybersecurity & Privacy news π‘
Early evidence seems to indicate a compromise of Microsoft Exchange servers in a reply chain attack campaignA closer look at one of the most perilous forms of phishingStealth malware deploys key loggers and information stealersFlaw could expose userβs home network to hackersAttacker had access to admin passwords for over two monthsIn the face of mixed messages between the public and private sector, should businesses be wary of jumping on the bandwagon?NCSC identified 4,151 online shops compromised using vulnerability within e-commerce platform MagentoFormer and current staff at California Pizza Kitchen potentially burned by hackersThe lawsuit claims 'flagrant' violations of US federal and state law from the Israeli firm behind the infamous spywareAttackers can easily manipulate the 9100 port to hijack hardware and steal data, researchers claimDanish firm says hackers managed to obtain company data and knock out parts of its IT networkCyber criminals in China control the malwareThe malware allows for server-side payment skimming that bypasses browser securityMicrosoft security researchers warn hacking is part of broader cyber espionage effortThe NCSCβs and KPMGβs Diversity and inclusion in cyber security report studied the obstacles faced by cyber security professionalsThe company wants to 'take its time' to implement the technology in a way that both protects privacy and prevents exposure to online harmsThe exploit allows hackers to elevate privileges and create admin accountsThe joint solution improves equity and access to government benefitsHackers are targeting victims using phone calls and voice mails about cryptocurrency transactionsThe side that's better at collaborating with allies will have the upper hand, and until now, that distinction has gone to the cybercriminals.Cyberattackers had unfettered access to the technology giant's file server for four months.Millions of texts leading to the Flubot spyware/banking trojan are targeting everyone who uses Androids in the country, in an "exceptional" attack.IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged user to inject and execute malicious code. IBM X-Force ID: 212441.IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local attacker to obtain sensitive information by inclusion of sensitive data within diagnostics. IBM X-Force ID: 213215.IBM MQ Appliance 9.2 CD and 9.2 LTS is affected by a denial of service attack caused by a concurrency issue. IBM X-Force ID: 212042IBM MQ Appliance could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace.The insurer wonβt pay for 'acts of cyber-war' or nation-state retaliation attacks. Β Β A sixth member of international hacking group The Community was sentenced to 10 months in prison and ordered to pay $121,549.37 in restitution.Most industry analyst firms conclude that between 80-90 percent of network traffic is encrypted today. Jeff Costlow, CISO at ExtraHop, explains why this might not be a good thing.This issue was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie('[COOKIE]') . The value is transferred to the --header option in wget binary, and there is no validation check. This vulnerability allows remote attackers to execute remote command.Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.The Bluetooth Classic implementation on Actions ATS2815 chipsets does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service and shutdown of a device by flooding the target device with LMP_features_res packets.Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.An open redirect through HTML injection in confidential messages in Cryptshare before 5.1.0 allows remote attackers (with permission to provide confidential messages via Cryptshare) to redirect targeted victims to any URL via the '<meta http-equiv="refresh"' substring in the editor parameter.PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has already compromised a valid Windows account on the server via separate means. In this scenario, the compromised account may have inherited read access to sensitive configuration, database, and log files.An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the ping and traceroute features. An attacker would thus be able to use this vulnerability to open a reverse shell on the device with root privileges.bookstack is vulnerable to Improper Access ControlAn improper input validation leading to arbitrary file creation was discovered in copy method of Nexacro platform. Remote attackers use copy method to execute arbitrary command after the file creation included malicious code.The vulnerabilty was discovered in ActiveX module related to NeoRS remote support program. This issue allows an remote attacker to download and execute remote file. It is because of improper parameter validation of StartNeoRS function in ActiveX.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-41244. Reason: This candidate is a reservation duplicate of CVE-2021-41244. Notes: All CVE users should reference CVE-2021-41244 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.An issue was discovered on Victure WR1200 devices through 1.0.3. The root SSH password never gets updated from its default value of admin. This enables an attacker to gain control of the device through SSH (regardless of whether the admin password was changed on the web interface).In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large messageAn issue was discovered on Victure WR1200 devices through 1.0.3. The default Wi-Fi WPA2 key is advertised to anyone within Wi-Fi range through the router's MAC address. The device default Wi-Fi password corresponds to the last 4 bytes of the MAC address of its 2.4 GHz network interface controller (NIC). An attacker within scanning range of the Wi-Fi network can thus scan for Wi-Fi networks to obtain the default key.Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.While SD-WAN is a key part of a hybrid workplace and multicloud operation, it should be treated as a stepping stone to SASE, not an alternative.More than 150 HP printer models have bugs that could enable attackers to steal data and gain an initial foothold on enterprise networks.Decisions in the UK and Australia, and lawsuits in the United States, could force facial-recognition providers to remove data from their machine-learning models.Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format.Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker's choice.Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.Technologies are available to better protect the data used in artificial intelligence, but they're not quite ready for prime time, says Deloitte.ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors.Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to start the telnet service and execute an arbitrary OS command via unspecified vectors.Cross-site request forgery (CSRF) vulnerability in Browser and Operating System Finder versions prior to 1.2 allows a remote unauthenticated attacker to hijack the authentication of an administrator via unspecified vectors.ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors.An issue was discovered in Jamf Pro before 10.32.0, aka PI-009921. An account can be granted incorrect privileges in response to authentication that uses specific sign-on workflows.Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to bypass access restriction and to access the management screen of the product via unspecified vectors.Sunnet eHRD has inadequate filtering for special characters in URLs, which allows a remote attacker to perform path traversal attacks without authentication, access restricted paths and download system files.Cross-site scripting vulnerability in Wi-Fi STATION SH-52A (38JP_1_11G, 38JP_1_11J, 38JP_1_11K, 38JP_1_11L, 38JP_1_26F, 38JP_1_26G, 38JP_1_26J, 38JP_2_03B, and 38JP_2_03C) allows a remote unauthenticated attacker to inject an arbitrary script via WebUI of the device.ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to execute an arbitrary OS command via unspecified vectors.OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attackers to execute an arbitrary OS command with the root privilege via unspecified vectors.Buffer overflow vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute an arbitrary OS command via unspecified vectors.Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a remote authenticated attacker to hijack the authentication of an administrator via a specially crafted page.Sunnet eHRD e-mail delivery task scheduleΓ’β¬β’s serialization function has inadequate input object validation and restriction, which allows a post-authenticated remote attacker with database access privilege, to execute arbitrary code and control the system or interrupt services.Cross-site scripting vulnerability in ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent unauthenticated attacker to bypass access restriction, and to obtain anti-CSRF tokens and change the product's settings via unspecified vectors.Sunnet eHRD has broken access control vulnerability, which allows a remote attacker to access account management page after being authenticated as a general user, then perform privilege escalation to execute arbitrary code and control the system or interrupt services.Vulnerability in open source project has since been patchedvim is vulnerable to Heap-based Buffer OverflowAffected versions of CODESYS Git in Versions prior to V1.1.0.0 lack certificate validation in HTTPS handshakes. CODESYS Git does not implement certificate validation by default, so it does not verify that the server provides a valid and trusted HTTPS certificate. Since the certificate of the server to which the connection is made is not properly verified, the server connection is vulnerable to a man-in-the-middle attack.snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Attackers use socially engineered SMS messages and malware to compromise tens of thousands of devices and drain user bank accounts.showdoc is vulnerable to Cross-Site Request Forgery (CSRF)showdoc is vulnerable to URL Redirection to Untrusted Siteshowdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)elgg is vulnerable to Authorization Bypass Through User-Controlled Keykimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')vim is vulnerable to Heap-based Buffer Overflowkimai2 is vulnerable to Improper Access Controlfirefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')showdoc is vulnerable to Cross-Site Request Forgery (CSRF)An unsafe search path vulnerability in FortiClientWindows 7.0.0, 6.4.6 and below, 6.2.x, 6.0.x and FortiClientEMS 7.0.0, 6.4.6 and below, 6.2.x, 6.0.x may allow an attacker to perform a DLL Hijack attack on affected devices via a malicious OpenSSL engine library in the search path.US crime syndicate βThe Communityβ stole millions of dollarsβ worth of cryptocurrencyScraping data for a facial recognition service? "That's unlawful", concluded both the British and the Australians.With supply chain delays and an online shopping boom, attacks will come from multiple angles.YurunProxy v0.01 is affected by a Cross Site Scripting (XSS) vulnerability in src/Client.php. The exit function will terminate the script and print a message which have values from the socket_read.attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function.In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of usersΓ’β¬β’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victimΓ’β¬β’s browser when they open the malicious profile pictureLibrenms 21.11.0 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.Librenms 21.11.0 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php.Mail servers readily hijacked due to MSP oversightCompany gives Fortune 500 companies including Colgate-Palmolive, Tesco and Scientific Games Corporation full visibility and context into risk to preempt potential attacks.Kaspersky researchers suspect that the cyberattackers may be a subgroup of the politically motivated, Palestine-focused Gaza Cybergang.manage (last update Oct 24, 2017) is affected by is affected by a Cross Site Scripting (XSS) vulnerability in Application/Home/Controller/GoodsController.class.php. The exit function will terminate the script and print a message which have values from $_POST.libretime hv3.0.0-alpha.10 is affected by a path manipulation vulnerability in /blob/master/legacy/application/modules/rest/controllers/ShowImageController.php through the rename function.Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who know the SIM phone number and password) to listen to a device's surroundings via a callback in an SMS command, as demonstrated by the 123456 and 523681 default passwords.NXP Kinetis K82 devices have a buffer over-read via a crafted wlength value in a GET Status-Other request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.NXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.Insulet Omnipod Insulin Management System insulin pump product ID 19191 and 40160 is designed to communicate using a wireless RF with an Insulet manufactured Personal Diabetes Manager device. This wireless RF communication protocol does not properly implement authentication or authorization. An attacker with access to one of the affected insulin pump models may be able to modify and/or intercept data. This vulnerability could also allow attackers to change pump settings and control insulin delivery.The AMDPowerProfiler.sys driver of AMD ?Prof tool may allow lower privileged users to access MSRs in kernel which may lead to privilege escalation and ring-0 code execution by the lower privileged user.Improper Input Validation vulnerability in MELSEC iQ-R Series R00/01/02CPU Firmware versions "24" and prior, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "57" and prior, MELSEC iQ-R Series R08/16/32/120SFCPU All versions, MELSEC iQ-R Series R08/16/32/120PCPU Firmware versions "29" and prior, MELSEC iQ-R Series R08/16/32/120PSFCPU All versions, MELSEC iQ-R Series R16/32/64MTCPU All versions, MELSEC iQ-R Series R12CCPU-V All versions, MELSEC Q Series Q03UDECPU All versions, MELSEC Q Series Q04/06/10/13/20/26/50/100UDEHCPU All versions, MELSEC Q Series Q03/04/06/13/26UDVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q04/06/13/26UDPVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q12DCCPU-V All versions, MELSEC Q Series Q24DHCCPU-V(G) All versions, MELSEC Q Series Q24/26DHCCPU-LS All versions, MELSEC Q Series MR-MQ100 All versions, MELSEC Q Series Q172/173DCPU-S1 All versions, MELSEC Q Series Q172/172DSCPU All versions, MELSEC Q Series Q170MCPU All versions, MELSEC Q Series Q170MSCPU(-S1) All versions, MELSEC L Series L02/06/26CPU(-P) All versions, MELSEC L Series L26CPU-(P)BT All versions and MELIPC Series MI5122-VW All versions allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets. System reset is required for recovery.Uncontrolled Resource Consumption vulnerability in MELSEC iQ-R Series R00/01/02CPU Firmware versions "24" and prior, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "57" and prior, MELSEC iQ-R Series R08/16/32/120SFCPU All versions, MELSEC iQ-R Series R08/16/32/120PCPU Firmware versions "29" and prior, MELSEC iQ-R Series R08/16/32/120PSFCPU All versions, MELSEC iQ-R Series R16/32/64MTCPU All versions, MELSEC iQ-R Series R12CCPU-V All versions, MELSEC Q Series Q03UDECPU All versions, MELSEC Q Series Q04/06/10/13/20/26/50/100UDEHCPU All versions, MELSEC Q Series Q03/04/06/13/26UDVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q04/06/13/26UDPVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q12DCCPU-V All versions, MELSEC Q Series Q24DHCCPU-V(G) All versions, MELSEC Q Series Q24/26DHCCPU-LS All versions, MELSEC Q Series MR-MQ100 All versions, MELSEC Q Series Q172/173DCPU-S1 All versions, MELSEC Q Series Q172/172DSCPU All versions, MELSEC Q Series Q170MCPU All versions, MELSEC Q Series Q170MSCPU(-S1) All versions, MELSEC L Series L02/06/26CPU(-P) All versions, MELSEC L Series L26CPU-(P)BT All versions and MELIPC Series MI5122-VW All versions allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets. System reset is required for recovery.Improper Handling of Length Parameter Inconsistency vulnerability in MELSEC iQ-R Series R00/01/02CPU Firmware versions "24" and prior, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "57" and prior, MELSEC iQ-R Series R08/16/32/120SFCPU All versions, MELSEC iQ-R Series R08/16/32/120PCPU Firmware versions "29" and prior, MELSEC iQ-R Series R08/16/32/120PSFCPU All versions, MELSEC iQ-R Series R16/32/64MTCPU All versions, MELSEC iQ-R Series R12CCPU-V All versions, MELSEC Q Series Q03UDECPU All versions, MELSEC Q Series Q04/06/10/13/20/26/50/100UDEHCPU All versions, MELSEC Q Series Q03/04/06/13/26UDVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q04/06/13/26UDPVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q12DCCPU-V All versions, MELSEC Q Series Q24DHCCPU-V(G) All versions, MELSEC Q Series Q24/26DHCCPU-LS All versions, MELSEC Q Series MR-MQ100 All versions, MELSEC Q Series Q172/173DCPU-S1 All versions, MELSEC Q Series Q172/172DSCPU All versions, MELSEC Q Series Q170MCPU All versions, MELSEC Q Series Q170MSCPU(-S1) All versions, MELSEC L Series L02/06/26CPU(-P) All versions, MELSEC L Series L26CPU-(P)BT All versions and MELIPC Series MI5122-VW All versions allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets. System reset is required for recovery.chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.NTT helped the International Olympic Committee dodge a security bullet in Tokyo. The world will watch to see if it can pull off a similar feat in Beijing for the upcoming Winter Games.Group will advise and provide recommendations to the director to enhance the nationβs cyber defense.The open XDR-as-a-service provider will use investment to expand business operations and further development of its GreyMatter platform.IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205281.IBM QRadar SIEM 7.3 and 7.4 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. This vulnerability is due to an incomplete fix for CVE-2020-4786. IBM X-Force ID: 206087.IBM QRadar SIEM 7.3 and 7.4 could allow an attacker to obtain sensitive information due to the server performing key exchange without entity authentication on inter-host communications using man in the middle techniques. IBM X-Force ID: 203033.CloverDX Server before 5.11.2 and and 5.12.x before 5.12.1 allows XXE during configuration import.NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 196074.Companies offers external attack surface management platform to help companies prioritize, investigate, and respond to potential security risks.The Variation Swatches plugin security flaw lets attackers with low-level permissions tweak important settings on e-commerce sites to inject malicious scripts.This won't replace antivirus software, but it can help you detect problems much more efficiently and allows more customization. Here's how to install it on Mac, Windows and Linux.Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover.Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group (e.g. staff) to view certain tags. Users who were tracking or watching the tags via /preferences/tags, then have their staff status revoked will still see notifications related to the tag, but will not see the tag on each topic. This issue has been patched in stable version 2.7.11. Users are advised to upgrade as soon as possible.Discourse is an open source discussion platform. In affected versions an attacker can poison the cache for anonymous (i.e. not logged in) users, such that the users are shown a JSON blob instead of the HTML page. This can lead to a partial denial-of-service. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of DiscourseIn versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.SQL Injection vulnerability exists in PHPGURUKUL Employee Record Management System 1.2 via the Email POST parameter in /forgetpassword.php."Yanluowang" strain appears to be establishing itself in the cybercrime marketplace, experts say.Service hosted Zeus, SpyEye, Citadel, Blackhole Exploit Kit malware aimed at US companies and financial institutions.The company plans to offer newly integrated services into its Ultra Secure portfolio and expand its sales, marketing, and service capabilities.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80040af8 in /formWlanSetup. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80046eb4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_80034d60 in /formStaticDHCP. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_800462c4 in /formAdvFirewall. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualApp. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function FUN_8004776c in /formVirtualServ. This vulnerability is triggered via a crafted POST request.D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_8003183C in /fromLogin. This vulnerability is triggered via a crafted POST request.Startup founders who previously served in the military share the lessons that have helped them build cybersecurity careers and companies.APT actors from Russia, China, and India have been observed using the RTF-template injection technique that researchers say is poised for wider adoption.Buffer overflow vulnerability in function SetFirewall in index.cgi in CIRCUTOR COMPACT DC-S BASIC smart metering concentrator Firwmare version CIR_CDC_v1.2.17, allows attackers to execute arbitrary code.Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check_prereg_key_and_redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check_prereg_key_and_redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register. The issue is fixed in Zulip 4.8. There are no known workarounds and users are advised to upgrade as soon as possible.Mahavitaran android application 7.50 and prior transmit sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header, MITM or browser history.In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.Broward County School District backtracks after ransomware attackSenior developer also accused of posing as anonymous whistleblowerDiversity brings more varied solutions to major challenges in cybersecurity, just as it does in every other industry.thinkphp-bjyblog (last update Jun 4 2021) is affected by a Cross Site Scripting (XSS) vulnerability in AdminBaseController.class.php. The exit function will terminate the script and print the message to the user which has $_SERVER['HTTP_HOST'].SakuraPanel v1.0.1.1 is affected by a Cross Site Scripting (XSS) vulnerability in /master/core/PostHandler.php. The exit function will terminate the script and print the message $data['proxy_name'].nZEDb v0.4.20 is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].pictshare v1.5 is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].OCR has shown that its serious about patients being able to access their healthcare records β recently levied penalties serve as a reminder for organizations to know where PHI is at all times.In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.Nearly one in three victims succumb to extortion, estimates Group-IBThere's been a veritable gold rush of security vendors getting into secure access service edge. Now will any of the major IaaS vendors enter the market? Rik Turner makes the case."Must be at least THIS tall to go on ride" seems to be the starting point. Too little, too late? Or better than nothing?Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site.Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).Authenticated administrators may override the system configuration file and cause a denial of service.ecshop v2.7.3 is affected by a SQL injection vulnerability in shopex\ecshop\upload\api\client\api.php.Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.Newer top-level domains and certain hosting providers are frequent sources of malicious content, while newly registered domains and free SSL certificates are not any more likely than average to be risky, new research shows.AT&T is battling a modular malware called EwDoor on 5,700 VoIP servers, but it could have a larger wildcard certificate problem.Latest episode - listen now!bookstack is vulnerable to Cross-Site Request Forgery (CSRF)The ClickBank Affiliate Ads WordPress plugin through 1.20 does not escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issuesArmeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock's power button, and must be able to capture BLE network communication.Cyberattackers made off with addresses, insurance information, dates of birth, and most worryingly, clinical information, such as diagnosis, procedures, and/or prescription information.Startling triple-digit growth is fueled by easy criminal access to corporate networks and RaaS tools, an analysis found.While we often worry about outside threats to our business data, insider threats are a growing problem. Here's how to secure your business.The breach, which compromised data such as insurance details and prescription information, took place between Oct. 9 and Oct. 17.CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data.Missing Handler vulnerability in the proprietary management protocol (port TCP 5558) of Hitachi Energy FOX61x, XCM20 allows an attacker that exploits the vulnerability by activating SSH on port TCP 5558 to cause disruption to the NMS and NE communication. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.Weak Password Requirements vulnerability in Hitachi Energy FOX61x, XCM20 allows an attacker to gain unauthorized access to the Data Communication Network (DCN) routing configuration. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.An issue was discovered on Renesas RX65 and RX65N devices. With a VCC glitch, an attacker can extract the security ID key from the device. Then, the protected firmware can be extracted.Proactively updating and integrating technology, and ensuring tight collaboration between IT and security β¦ it's simple, right? Well, not always β especially for organizations with limited resources.Researchers also observed a 70% average increase in attempted ransomware attacks.AOM v2.0.1 was discovered to contain a stack buffer overflow via the component src/aom_image.c.AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component rate_hist.c.AOM v2.0.1 was discovered to contain a segmentation violation via the component aom_dsp/x86/obmc_sad_avx2.c.AOM v2.0.1 was discovered to contain a stack buffer overflow via the component stats/rate_hist.c.LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow via decode_preR13.LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference via out_dxfb.c.AOM v2.0.1 was discovered to contain a NULL pointer dereference via the component av1/av1_dx_iface.c.AOM v2.0.1 was discovered to contain a global buffer overflow via the component av1/encoder/partition_search.h.Report explores cybercrime developments from the second half of 2020 through the first half of 2021.New requirements for financial institutions include vulnerability assessments, employee trainingAttackers that previously targeted the cloud platform provider have shifted their focus to additional products in the companyβs portfolio.An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44021.showdoc is vulnerable to URL Redirection to Untrusted SiteAn unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44020.dzzoffice 2.02.1_SC_UTF8 is affected by a Cross Site Scripting (XSS) vulnerability in explorerfile.php. The output of exit function will be print for the user exit(json_encode($return)).Trend Micro Security 2021 v17.0 (Consumer) contains a vulnerability that allows files inside the protected folder to be modified without any detection.A reachable assertion vulnerability in Trend Micro Apex One could allow an attacker to crash the program on affected installations, leading to a denial-of-service (DoS). Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44020 and 44021.When using LinkedIn and other social media accounts for professional reasons, there are important factors to consider about securing your personal data. Learn how to protect yourself from a hacker.$31 in digital coin stolen, an insider extortion attack, and a new cybersecurity resource for healthcare workers - catch up on the infosec news of the week with the Friday Five!Dark web fraudsters caught after stealing the identities of murder victimsVendors drag their heels when it comes to identifying software vulnerabilities and are often loath to expedite the fixes.Librenms 21.11.0 is affected by a path manipulation vulnerability in includes/html/pages/device/showconfig.inc.php.matyhtf framework v3.0.5 is affected by a path manipulation vulnerability in Smarty.class.php.** UNSUPPORTED WHEN ASSIGNED ** ThinkUp 2.0-beta.10 is affected by a path manipulation vulnerability in Smarty.class.php.βGood initial resultsβ, says one early adopterA new study of 17 malware frameworks shows threat actors always use USB drives to sneak malware into air-gapped environments and then steal data from there."Must be at least THIS tall to go on ride" seems to be the starting point. Too little, too late? Or better than nothing?Latest episode - listen now!The Kentico Xperience CMS version 13.0 Γ’β¬β 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data.elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized ActorWe want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive poll!Mozilla's cryptographic code had a critical bug. Problem is that numerous apps are affected and may need patching individually.Many APIs are openly accessible online, and that means big chunks of your apps are, too. Cisco's Vijoy Pandey has tools and tips to help businesses get visibility into their APIs.LogFlow addresses data risks associated with machine data pipelines.IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site request forgery (CSRF) in the My Inbox page which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 202167.IBM Cognos Analytics 11.1.7 and 11.2.0 could allow an authenticated to view or edit a Jupyter notebook that they should not have access to. IBM X-Force ID: 206212.IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209706.IBM Cognos Analytics 11.1.7 and 11.2.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 196339.IBM Cognos Analytics 11.1.7 and 11.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 197794.IBM Cognos Analytics 11.1.7 and 11.2.0 could be vulnerable to client side vulnerabilties due to a web response specifying an incorrect content type. IBM X-Force ID: 201091IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view. IBM X-Force ID: 201087.Omicron COVID-19 variant anxiety inspires new phishing scam offering fake NHS tests to steal data.Organizations must improve their cybersecurity protocols to detect fraudulent identities and make sure they're safeguarding their consumersβ personal information.Jason Kent, hacker-in-residence at Cequence, found a way to exploit a Toyota API to get around the hassle of car shopping in the age of supply-chain woes.Service gives customers access to a CISO-led team of practitioners with a variety of skills and expertise.At least nine US State Department employee iPhones were targeted with sophisticated spyware developed by the Israeli firm NSO Group.All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.A Stack-based Buffer Overflow vlnerability exists in the Tenda AC15 V15.03.05.18_multi device via the list parameter in a post request in goform/SetIpMacBind.SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\Manage\Controller\GuestbookController.class.php.SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\Manage\Controller\DownloadController.class.php.tsMuxer v2.6.16 was discovered to contain a heap-based buffer overflow via the function HevcSpsUnit::short_term_ref_pic_set(int) in hevc.cpp.SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\Manage\Controller\AdvertController.class.php.This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.tsMuxer v2.6.16 was discovered to contain a heap-based buffer overflow via the function BitStreamReader::getCurVal in bitStream.h.Fake traffic observed on Nov. 26 included malicious scrapers, sophisticated botnets, fake accounts, and click farms.Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in stealing remote access credentials -- such as usernames and passwords needed to remotely connect to the target's network. In this post we'll look at the clues left behind by "Babam," the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years.A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields.HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.An out-of-bounds write vulnerability exists when reading a JPG file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists with parsing JPG files. Crafted data in a JPG (4 extraneous bytes before the marker 0xca) can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers).An out-of-bounds write vulnerability exists when reading a TIF file using Open Design Alliance (ODA) Drawings Explorer before 2022.11. The specific issue exists after loading TIF files. Crafted data in a TIF file can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.An out-of-bounds write vulnerability exists when reading U3D files in Open Design Alliance PRC SDK before 2022.11. An unchecked return value of a function (verifying input data from a U3D file) leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process.A use-after-free vulnerability exists when reading a DWF/DWFX file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists with parsing DWF/DWFX files. Crafted data in a DWF/DWFX file and lack of proper validation of input data can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.An out-of-bounds write vulnerability exists when reading a DGN file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists within the parsing of DGN files. Crafted data in a DGN file and lack of proper validation for the XFAT sectors count can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Two unauthenticated SQL injection vulnerabilities were discovered, allowing arbitrary SQL queries to be injected and executed under the postgres superuser account. Remote code execution was possible, leading to full access to the postgres user account.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A crafted HTTP request could induce a format string vulnerability in the privileged vaultServer application.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The password for the PostgreSQL wguest account is weak.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The apache user could read arbitrary files such as /etc/shadow by abusing an insecure Sudo rule.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. Multiple functions in the bpserverd daemon were vulnerable to arbitrary remote code execution as root. The vulnerability was caused by untrusted input (received by the server) being passed to system calls.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The privileged vaultServer could be leveraged to create arbitrary writable files, leading to privilege escalation.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The SNMP daemon was configured with a weak default community.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A world writable file allowed local users to execute arbitrary code as the user apache, leading to privilege escalation.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The wguest account could execute commands by injecting into PostgreSQL trigger functions. This allowed privilege escalation from the wguest user to the postgres user.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Samba file sharing service allowed anonymous read/write access.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. The Unitrends Windows agent was vulnerable to DLL injection and binary planting due to insecure default permissions. This allowed privilege escalation from an unprivileged user to SYSTEM.An issue was discovered in Kaseya Unitrends Backup Appliance before 10.5.5. A buffer overflow existed in the vaultServer component. This was exploitable by a remote unauthenticated attacker.Security firm said attackers executed a βtransfer-out, swap, and washβvim is vulnerable to Use After FreeVINGA WR-N300U 77.102.1.4853 is affected by a command execution vulnerability in the goahead component.Mozilla's cryptographic code had a critical bug. Problem is that numerous apps are affected and may need patching individually.In Canon LBP223 printers, the System Manager Mode login does not require an account password or PIN. An attacker can remotely shut down the device after entering the background, creating a denial of service vulnerability.If zero trust is to work properly, then it must apply to everyone.One good way to prevent unwelcome participants or late arrivals from joining your Zoom meetings is to lock those meetings. Here's a look at how it's done.Personal data, account access is at riskThink of a number, any number. Take away 42. Add 42 back in. Then pretend you didn't take away 42. How much is left?It's unknown who's behind the cyberattacks against at least nine employees' iPhones, who are all involved in Ugandan diplomacy.Care home communications tool conundrumThe Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issueThe WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX actionThe LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issueThe PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacksThe WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletionThe Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedThe Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issueThe Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issueThe Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issuesThe Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.YARA won't replace antivirus software, but it can help you detect problems more efficiently and allows more customization. Learn how to write YARA rules to improve security and incident response .The gang is using a variety of tools and malware to carry out attacks in volume on critical sectors, the FBI warned.The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.Serv-U server responds with valid CSRFToken when the request contains only Session.Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data.Invenio-Drafts-Resources is a submission/deposit module for Invenio, a software framework for research data management. Invenio-Drafts-Resources prior to versions 0.13.7 and 0.14.6 does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated a user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. *cannot* change a record from restricted to public. The problem is patched in Invenio-Drafts-Resources v0.13.7 and 0.14.6, which is part of InvenioRDM v6.0.1 and InvenioRDM v7.0 respectively.When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.Assuming a database breach, nonce reuse issues in GitLab 11.6+ allows an attacker to decrypt some of the database's encrypted contentThe authentication algorithm of the WebHMI portal is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above.runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.Last week, the Transportation Security Administration continued its 60-day sprint around securing high-risk transit systems by mandating railroad owners disclose cybersecurity incidents within 24 hours.U.S. military acknowledges targeting cybercriminals who launch attacks on U.S. companies.Clusters of activity associated with the attack group behind last year's supply chain breach reveal novel techniques, researchers say.Gen. Paul Nakasoke, head of US Cyber Command and director of the NSA, said the military has taken offensive action against ransomware groups.Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled on a Windows host. A malicious user can potentially read any file on the file system by crafting a special URL that allows for directory traversal. This is only possible on a Wiki.js server running on Windows, when a storage module implementing local asset cache (e.g Local File System or Git) is enabled and that no web application firewall solution (e.g. cloudflare) strips potentially malicious URLs. Commit number 414033de9dff66a327e3f3243234852f468a9d85 fixes this vulnerability by sanitizing the path before it is passed on to the storage module. The sanitization step removes any windows directory traversal sequences from the path. As a workaround, disable any storage module with local asset caching capabilities (Local File System, Git).BitMart confirmed it had been drained of ~$150 million in cryptocurrency assets, but a blockchain security firm said it's closer to $200 million.The so-called Nikel cyber espionage attack group - aka APT15, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon - has been in Microsoft's sights since 2016.b2evolution CMS v7.2.3 was discovered to contain a SQL injection vulnerability via the parameter cfqueryparam in the User login section. This vulnerability allows attackers to execute arbitrary code via a crafted input.An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14076).An SSRF issue was discovered in SquaredUp for SCOM 5.2.1.6654.b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14079).An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14078).Laravel v5.1 was discovered to contain a deserialization vulnerability via the component \Mockery\Generator\DefinedTargetClass.An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14080).snipe-it is vulnerable to Server-Side Request Forgery (SSRF)Piwigo v11.5 was discovered to contain a SQL injection vulnerability via the parameter pwg_token in /admin/batch_manager_global.php.An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14074).An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14075).The program helps close the skill gap to enable defenders to gain the advantage over cyber adversaries.naholyr github-todos 3.1.0 is vulnerable to command injection. The range argument for the _hook subcommand is concatenated without any validation, and is directly used by the exec function.Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) in html_preprocess_rules in ebooks/conversion/preprocess.py.Apple MDM service forced to execute arbitrary web requestsGet access to certification trainings, tech classes, art lessons and much more. You'll get lifetime access, so you can learn whenever you have the time.grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378.livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the userΓ’β¬β’s browser.A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.One year after the disruptive supply-chain attacks, researchers have observed two new clusters of activity from the Russia-based actors that signal a significant threat may be brewing.Adobe Bridge versions 11.1.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious SGI file.An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform an arbitrary file write.An issue was discovered in SquaredUp for SCOM 5.2.1.6654. The Download Log feature in System / Maintenance was susceptible to a local file inclusion vulnerability (when processing remote input in the log files downloaded by an authenticated administrator user), leading to the ability to read arbitrary files on the server filesystems.An issue was discovered in Mahavitaran android application 7.50 and below, allows local attackers to read cleartext username and password while the user is logged into the application.A unauthenticated denial of service vulnerability exists in Citrix ADC <13.0-83.27, <12.1-63.22 and 11.1-65.23 when configured as a VPN (Gateway) or AAA virtual server could allow an attacker to cause a temporary disruption of the Management GUI, Nitro API, and RPC communication.A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service.An exposed dangerous function vulnerability exists in Ivanti Avalanche before 6.3.3 using inforail Service allows Privilege Escalation via Enterprise Server Service.An improper authorization control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.A vulnerability found in UniFi Switch firmware Version 5.43.35 and earlier allows a malicious actor who has already gained access to the network to perform a Deny of Service (DoS) attack on the affected switch.This vulnerability is fixed in UniFi Switch firmware 5.76.6 and later.A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.Adobe Bridge versions 11.1.1 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious SGI file.A SQL Injection vulnerability exists in Ivanti Avalance before 6.3.3 allows an attacker with access to the Inforail Service to perform privilege escalation.A cross-site scripting (XSS) vulnerability in Image Tile in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via an SVG file.An improper access control vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform a session takeover.A cross-site scripting (XSS) vulnerability in integration configuration in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via dashboard actions.An unrestricted file upload vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to write dangerous files.A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.A cross-site scripting (XSS) vulnerability in integration configuration in SquaredUp for SCOM 5.2.1.6654 allows remote attackers to inject arbitrary web script or HTML via modification of the authorisationUrl in some integration configurations.A DOM-based XSS vulnerability affects SquaredUp for SCOM 5.2.1.6654. If successfully exploited, this vulnerability may allow attackers to inject malicious code into a user's device.Deepfakes are increasingly concerning because they use AI to imitate human activities and can be used to augment social engineering attacks.The new service protects against current and future cyberattacks, according to Quantinuum CEO, and works with existing cybersecurity systems.Two critical flaws addressed in cloud storage patch batchUnderlying security vulnerability is still present in popular OS, researchers warnPassword managers provide a more effective way to stay secure online but are still underutilized, says Security.org.There is a Memory leak vulnerability with the codec detection module in Huawei Smartphone.Successful exploitation of this vulnerability may cause the device to restart due to memory exhaustion.There is an Input verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause some services to restart.There is a Logic bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information.There is an Improper access control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.There is an Improper verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause out-of-bounds read.There is an Improper permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to obtain certain device information.Cross Site Scripting (XSS) in redirect module of Racktables version 0.21.2, allows an attacker to inject arbitrary web script or HTML via the op parameter.Misaligned incentives are undermining efforts to tackle TLD bugs with βmass-scale impactβThere is an Improper verification vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause out-of-bounds read.The malware's unique blockchain-enabled backup C2 scheme makes it difficult to eliminate completely.Firefox 95.0 is out, with the usual security fixes... plus some funky new ones.Think of a number, any number. Take away 42. Add 42 back in. Then pretend you didn't take away 42. How much is left?With pandemic-induced pressures impacting many employees, burnout can easily lead to security risks, says 1Password.There is a Improper Validation of Array Index vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to memory overflow and information leakage.There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to system denial of service.There is a NULL Pointer Dereference vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to kernel crash.There is a Resource Management Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to denial of Service Attacks.There is a Improper Preservation of Permissions vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to attackers which can isolate and read synchronization files of other applications across the UID sandbox.There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to delete arbitrary file by system_app permission.There is a Improper Limitation of a Pathname to a Restricted Directory vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to arbitrary file created.There is a Stack-based Buffer Overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to Out-of-bounds read.There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to nearby crash.There is a Integer Overflow or Wraparound vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to remote denial of service and potential remote code execution.There is a Path Traversal vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to delete any file.There is a Uncontrolled Resource Consumption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to Screen projection application denial of service.There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to user privacy disclosed.The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 takes a user-supplied Γ’β¬ΕactionΓ’β¬οΏ½ parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the action. This permits an attacker to execute any PHP source file with a .php extension that is present on the disk and readable by the GOautodial web server process. Combined with CVE-2021-43175, it is possible for the attacker to do this without valid credentials. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:CPrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 exposes an API router that accepts a username, password, and action that routes to other PHP files that implement the various API functions. Vulnerable versions of GOautodial validate the username and password incorrectly, allowing the caller to specify any values for these parameters and successfully authenticate. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:CThere is a Permissions,Privileges,and Access Controls vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to confidentiality affected.There is a Stack-based Buffer Overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to device cannot be used properly.There is a Improper Authentication vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to account authentication bypassed.Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like `a.a.` Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression. The maintainers added a check for email addresses that are no longer valid that will print information about any affected orders that exist. If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.In 2022, data governance, risk, and compliance (GRC) and security need to partner to implement a modern approach to data protection: insider risk management.There's an argument injection weakness in the Windows 10/11 default handler, researchers said: an issue that Microsoft has only partially fixed.Underground arbitration system settles disputes between cybercriminals.Amzetta zPortal Windows zClient is affected by Integer Overflow. IOCTL Handler 0x22001B in the Amzetta zPortal Windows zClient <= v3.2.8180.148 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.NoMachine Enterprise Desktop is affected by Integer Overflow. IOCTL Handler 0x22001B in the NoMachine Enterprise Desktop above 4.0.346 and below 7.7.4 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.A buffer overflow in os/net/mac/ble/ble-l2cap.c in the BLE stack in Contiki-NG 4.4 and earlier allows an attacker to execute arbitrary code via malicious L2CAP frames.FlexiHub For Windows is affected by Buffer Overflow. IOCTL Handler 0x22001B in the FlexiHub For Windows above 2.0.4340 below 5.3.14268 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.AmZetta Amzetta zPortal DVM Tools is affected by Integer Overflow. IOCTL Handler 0x22001B in the Amzetta zPortal DVM Tools <= v3.3.148.148 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.NoMachine Cloud Server is affected by Buffer Overflow. IOCTL Handler 0x22001B in the NoMachine Cloud Server above 4.0.346 and below 7.7.4 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.NoMachine Enterprise Desktop is affected by Buffer Overflow. IOCTL Handler 0x22001B in the NoMachine Enterprise Desktop above 4.0.346 and below 7.7.4 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.Donglify is affected by Buffer Overflow. IOCTL Handler 0x22001B in the Donglify above 1.0.12309 below 1.7.14110 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might not be publicly accessible.NoMachine Enterprise Client is affected by Integer Overflow. IOCTL Handler 0x22001B in the NoMachine Enterprise Client above 4.0.346 and below 7.7.4 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.A denial-of-service attack in WPA2, and WPA3-SAE authentication methods in TP-Link AX10v1 before V1_211014, allows a remote unauthenticated attacker to disconnect an already connected wireless client via sending with a wireless adapter specific spoofed authentication framesGrafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.FlexiHub For Windows is affected by Integer Overflow. IOCTL Handler 0x22001B in the FlexiHub For Windows above 2.0.4340 below 5.3.14268 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.A missing bounds check in image blurring code prior to WhatsApp for Android v2.21.22.7 and WhatsApp Business for Android v2.21.22.7 could have allowed an out-of-bounds write if a user sent a malicious image.NoMachine Server is affected by Integer Overflow. IOCTL Handler 0x22001B in the NoMachine Server above 4.0.346 and below 7.7.4 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.NoMachine Cloud Server is affected by Integer Overflow. IOCTL Handler 0x22001B in the NoMachine Cloud Server above 4.0.346 and below 7.7.4 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.Eltima USB Network Gate is affected by Integer Overflow. IOCTL Handler 0x22001B in the USB Network Gate above 7.0.1370 below 9.2.2420 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote account takeover due to OTP fixation vulnerability in password rest functionAmzetta zPortal Windows zClient is affected by Buffer Overflow. IOCTL Handler 0x22001B in the Amzetta zPortal Windows zClient <= v3.2.8180.148 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.U.S. cybersecurity services firm expands internationally into Latin America.Managing Windows Hello hybrid certificate trust model on DigiCert PKI platform streamlines enterprise passwordless authentication and access, an industry first for public Certification Authorities (CAs).Rubrik Cloud Vault provides data recovery assurance against ransomware attacks for Microsoft Azure customers, even if they maintain a hybrid environment.The privilege-escalation flaws affect Amazon WorkSpaces and more than a dozen services that use a particular implementation of USB over Ethernet.The company has also launched litigation against the Glupteba botnet, marking the first lawsuit against a blockchain-enabled botnet.GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allow cgi-bin/router_cgi?action=scanwifi XSS when an attacker creates an SSID with an XSS payload as the name.A Buffer Overflow vulnerability exists in Accops HyWorks Windows Client prior to v 3.2.8.200. The IOCTL Handler 0x22005B allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the "back" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator.The debug-meta-data plugin 1.1.2 for WordPress allows XSS.An issue was discovered in Solar-Log 500 before 2.8.2 Build 52 23.04.2013. In /export.html, email.html, and sms.html, cleartext passwords are stored. This may allow sensitive information to be read by someone with access to the device.The web administration server in Solar-Log 500 before 2.8.2 Build 52 does not require authentication, which allows remote attackers to gain administrative privileges by connecting to the server. As a result, the attacker can modify configuration files and change the system status.The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/write operations on Secure World memory. This involves a DMA capable peripheral.In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)An Integer Overflow vulnerability exists in Accops HyWorks DVM Tools prior to v3.3.1.105 . The IOCTL Handler 0x22005B in the Accops HyWorks DVM Tools prior to v3.3.1.105 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.An Integer Overflow exists in Accops HyWorks Windows Client prior to v 3.2.8.200. The IOCTL Handler 0x22001B in the Accops HyWorks Windows Client prior to v 3.2.8.200 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.An Integer Overflow vulnerability exists in Accops HyWorks Windows Client prior to v 3.2.8.200. The IOCTL Handler 0x22005B in the Accops HyWorks Windows Client prior to v 3.2.8.200 allow local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.Authenticated Blind & Error-based SQL injection vulnerability was discovered in Online Enrollment Management System in PHP and PayPal Free Source Code 1.0, that allows attackers to obtain sensitive information and execute arbitrary SQL commands via IDNO parameter.Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.A Buffer Overflow vulnerability exists in Accops HyWorks Windows Client prior to v 3.2.8.200. The IOCTL Handler 0x22001B allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.An issue was discovered in Couchbase Sync Gateway 2.7.0 through 2.8.2. The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain write access. (This issue does not affect clusters where Sync Gateway is authenticated with X.509 client certificates. This issue also does not affect clusters where shared bucket access is not enabled on Sync Gateway.)A Buffer Overflow vulnerability exists in Accops HyWorks DVM Tools prior to v3.3.1.105. The IOCTL Handler 0x22001B allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.An Integer Overflow vulnerability exists in Accops HyWorks DVM Tools prior to v3.3.1.105 .The IOCTL Handler 0x22001B allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) via specially crafted I/O Request Packet.Admidio is a free open source user management system for websites of organizations and groups. A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious scripts. This issue is patched in version 4.0.12.More than two-Thirds (69%) of respondents believe an attack on their storage & backup environment will have "significant" or "catastrophic" impact.Bitwarden survey also finds that half of IT professionals share their passwords with colleaguesA new business model has been uncovered that makes it much easier for attackers to gain access to business' networksThree agreements have been signed which focus on facilitating digital trade, cyber security, and digital identities between the two nationsWe look at what SSID is and how it is used to connect devices to the internetWe explain how SSO works and why you need itThe charity has not linked the incident to the recent pressure campaign from Britain FirstUnless youβre a complete Windows 11 novice, youβll have come across Safe Mode before - but what exactly is it, and how do you access it in Windows 11?Why failing to address a shortage of women in senior roles puts businesses at risk - issue 23 is available to download nowWhy your company needs them, and what they should includeHackers managed to get away with at least $150 million (Β£113 million) in cryptocurrenciesCatch up on the biggest headlines of the week in just two minutesJournalists and activists must adopt extra protective measure under new ruleSecurity at the forefrontIt's believed as much as 62% of Zoho instances globally are using vulnerable software versionsEncountering Windows' dreaded BSOD error is never fun, but it's possible to diagnose the problem with a few simple stepsA study of enterprises using next-generation application deliveryTaking a closer look at how cyber threats are investigated at a network levelHackers defeated Google Play restrictions by using smaller droppers in apps and eliminating permissions neededSoftware engineer Nickolas Sharp faces 37 years in prison for allegedly exploiting his access credentials to extort his employerA National Audit Office report has also branded plans to recover 0.1% of stolen funds "inadequate"In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.SonicWall Global VPN client version 4.10.6 (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability. Successful exploitation via a local attacker could result in remote code execution in the target system.A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.A relative path traversal vulnerability in the SMA100 upload funtion allows a remote unauthenticated attacker to upload crafted web pages or files as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.A post-authentication remote command injection vulnerability in SonicWall SMA100 allows a remote authenticated attacker to execute OS system commands in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the nobody user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacNumber 36) method allows a remote unauthenticated attacker to potentially execute code as the 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.An unauthenticated and remote adversary can consume all of the device's CPU due to crafted HTTP requests sent to SMA100 /fileshare/sonicfiles/sonicfiles resulting in a loop with unreachable exit condition. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.The botnet, which resurfaced last month on the back of TrickBot, can now directly install Cobalt Strike on infected devices, giving threat actors direct access to targets.New, global-scale attacks aren't a security problem; they're a big data problem requiring a data-led solution.A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to use the device as a proxy and reach external or protected hosts via redirection handlers.A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage.A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to make the httpsd daemon unresponsive via huge HTTP packetsA url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlersA improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handlerA relative path traversal [CWE-23] vulnerabiltiy in FortiOS versions 7.0.0 and 7.0.1 and FortiProxy verison 7.0.0 may allow an unauthenticated, unauthorized attacker to inject path traversal character sequences to disclose sensitive information of the server via the GET request of the login page.An integer overflow or wraparound vulnerability in the memory allocator of SSLVPN in FortiOS before 7.0.1 may allow an unauthenticated attacker to corrupt control data on the heap via specifically crafted requests to SSLVPN, resulting in potentially arbitrary code execution.A stack-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, allows an authenticated attacker to execute unauthorized code or commands via crafted certificates loaded into the device.A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.A use of hard-coded cryptographic key vulnerability in the SSLVPN of FortiOS before 7.0.1 may allow an attacker to retrieve the key by reverse engineering.Kaspersky survey finds 34% of telehealth providers admit to a wrong diagnosis due to poor video or photo quality.Firefox 95.0 is out, with the usual security fixes... plus some funky new ones.Security pros surveyed by One Identity cited a lack of clarity, other priorities and a lack of resources as bumps on the road to Zero Trust.ETS Password Recovery Tool allows you to recover passwords for an ETS5 project. This is due to a significant design flaw as ETS5 uses a hard-coded password and salt to encrypt the project information.TSA issues mandatory requirements for βhigh-riskβ rail infrastructureAn HTTP request smuggling attack in TP-Link AX10v1 before v1_211117 allows a remote unauthenticated attacker to DoS the web application via sending a specific HTTP packet.Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet.Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.There is a Code Injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to system restart.An improper privilege management vulnerability in Apps Edge application prior to SMR Dec-2021 Release 1 allows unauthorized access to some device data on the lockscreen.There is a Race Condition vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to availability affected.An improper validation vulnerability in telephony prior to SMR Dec-2021 Release 1 allows attackers to launch certain activities.There is a Missing sensitive data encryption vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.There is an Identity spoofing and authentication bypass vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.An improper boundary check in secure_log of LDFW and BL31 prior to SMR Dec-2021 Release 1 allows arbitrary memory write and code execution.An improper validation vulnerability in FilterProvider prior to SMR Dec-2021 Release 1 allows attackers to write arbitrary files via a path traversal vulnerability.An improper validation vulnerability in FilterProvider prior to SMR Dec-2021 Release 1 allows local arbitrary code execution.There is an Invalid address access vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the device to restart.An issue was discovered in Allegro Windows (formerly Popsy Windows) before 3.3.4156.1. A standard user can escalate privileges to SYSTEM if the FTP module is installed, because of DLL hijacking.A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the ql_expression parameter, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.An improper intent redirection handling in Tags prior to SMR Dec-2021 Release 1 allows attackers to access sensitive information.An improper usage of implicit intent in SemRewardManager prior to SMR Dec-2021 Release 1 allows attackers to access BSSID.Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition.There is a Heap-based buffer overflow vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may rewrite the memory of adjacent objects.There is a Service logic vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause WLAN DoS.In a matter of days, a large-scale outage of cloud and other online services could cause $15 billion in losses.Researchers have found a number of high-security vulnerabilities in third-party driver software β bugs that originated in a library created by network virtualization firm Eltima β that leave about a dozen cloud services used by millions of users worldwide open to privilege-escalation attacks. That includes Amazon WorkSpaces, Accops and NoMachine, among others: all apps that [β¦]A privilege escalation vulnerability in FortiNAC versions 8.8.8 and below and 9.1.2 and below may allow an admin user to escalate the privileges to root via the sudo command.utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs.A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 could allow a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.SQL injection vulnerability was discovered in Aanderaa GeoView Webservice prior to version 2.1.3 that could allow an unauthenticated attackers to execute arbitrary commands.An authentication bypass by capture-replay vulnerability [CWE-294] in FortiClient EMS versions 7.0.1 and below and 6.4.4 and below may allow an unauthenticated attacker to impersonate an existing user by intercepting and re-using valid SAML authentication messages.A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted GET parameters in requests to login and error handlersGrafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API.While not sweeping, new legislation recently introduced in Michigan would push businesses to establish and maintain a written cybersecurity program to protect personal information.We put the web's three most popular browsers head-to-headEquipping organisations with the right tools for business resiliencePreviously debuting on Windows PCs in 2019, the Secured-core initiative has reached servers in a bid to better protect infrastructure from cyber attacks like ransomwareThe Glupteba botnet infected approximately one million Windows machines to steal data and mine cryptocurrenciesPhishing remains an effective attach mechanism, finds global testIt's reportedly the first time this has happened since the takedown of Emotet in January 2021, say the researchers who made the discovery.To transition to a zero-trust architecture, focus on doing the things that offer the most value.Now-patched bugs were easy to exploit, but required prior authentication/network accessAttackers are milking unpatched Hikvision video systems to drop a DDoS botnet, researchers warned.If you are a cybersecurity professional with at least five years of experience, you can take the exam that will boost your career with an elite certification. Here's a great way to prepare.The latest version of Firefox is now available and includes an important step forward for web browser security.The Yubico YubiHSM YubiHSM2 library 2021.08, included in the yubihsm-shell project, does not properly validate the length of some operations including SSH signing requests, and some data operations received from a YubiHSM 2 device.PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code.`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.Multiple command injection vulnerabilities in the command line interpreter of FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, and 6.1.0 through 6.1.2 may allow an authenticated attacker to execute arbitrary commands on the underlying system shell via specially crafted command arguments.Allegro WIndows 3.3.4152.0, embeds software administrator database credentials into its binary files, which allows users to access and modify data using the same credentials.Multiple heap-based buffer overflow vulnerabilities in some web API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow a remote authenticated attacker to execute arbitrary code or commands via specifically crafted HTTP requests.Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer.A heap-based buffer overflow in the firmware signature verification function of FortiOS versions 7.0.1, 7.0.0, 6.4.0 through 6.4.6, 6.2.0 through 6.2.9, and 6.0.0 through 6.0.13 may allow an attacker to execute arbitrary code via specially crafted installation images.PineApp - Mail Secure - Attacker sending a request to :/blocking.php?url=<script>alert(1)</script> and stealing cookies .SYNEL - eharmonynew / Synel Reports - The attacker can log in to the system with default credentials and export a report of eharmony system with sensetive data (Employee name, Employee ID number, Working hours etc') The vulnerabilety has been addressed and fixed on version 11. Default credentials , Security miscommunication , Sensetive data exposure vulnerability in Synel Reports of SYNEL eharmonynew, Synel Reports allows an attacker to log into the system with default credentials. This issue affects: SYNEL eharmonynew, Synel Reports 8.0.2 version 11 and prior versions.The lurking code-bombs lift Discord tokens from users of any applications that pulled the packages into their code bases.Cybercriminals are increasingly adopting "living-off-the-landβ techniques, leveraging commonly used tools to fly under the radar of conventional detection tools. But with AI, thousands of organizations have regained the upper hand.NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h in function read_udp_push_config_file. A specially-crafted network packet can lead to code execution.Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account. *This bug only affects Firefox for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.When a user loaded a Web Extensions context menu, the Web Extension could access the post-redirect URL of the element clicked. If the Web Extension lacked the WebRequest permission for the hosts involved in the redirect, this would be a same-origin-violation leaking data the Web Extension should have access to. This was fixed to provide the pre-redirect URL. This is related to CVE-2021-43532 but in the context of Web Extensions. This vulnerability affects Firefox < 94.A privilege escalation vulnerability exists in the Remote Server functionality of Dream Report ODS Remote Connector 20.2.16900.0. A specially-crafted command injection can lead to elevated capabilities. An attacker can provide a malicious file to trigger this vulnerability.A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 94.Using the Location API in a loop could have caused severe application hangs and crashes. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.An unauthenticated attacker is able to send a special HTTP request, that causes a service to crash. In case of a standalone VRM or BVMS with VRM installation this crash also opens the possibility to send further unauthenticated commands to the service. On some products the interface is only local accessible lowering the CVSS base score. For a list of modified CVSS scores, please see the official Bosch Advisory Appendix chapter Modified CVSS Scores for CVE-2021-23859When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird < 91.4.0.When parsing internationalized domain names, high bits of the characters in the URLs were sometimes stripped, resulting in inconsistencies that could lead to user confusion or attacks such as phishing. This vulnerability affects Firefox < 94.Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000).An error in a page handler of the VRM may lead to a reflected cross site scripting (XSS) in the web-based interface. To exploit this vulnerability an attack must be able to modify the HTTP header that is sent. This issue also affects installations of the DIVAR IP and BVMS with VRM installed.Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to XSS and spoofing attacks. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 95.An out-of-bounds write vulnerability exists in the CMD_DEVICE_GET_SERVER_LIST_REQUEST functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h in function recv_server_device_response_msg_process. A specially-crafted network packet can lead to code execution.A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95.The initial apps in Google Play were safe, but the creators found a way around the Play Store's protections to install malware on Android users' devices. Here's how it happened and how to stay safe.Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24.A 31-year-old Canadian man has been arrested and charged with fraud in connection with numerous ransomware attacks against businesses, government agencies and private citizens throughout Canada and the United States. Canadian authorities describe him as "the most prolific cybercriminal we've identified in Canada," but so far they've released few other details about the investigation or the defendant. Helpfully, an email address and nickname apparently connected to the accused offer some additional clues.wbce_cms is vulnerable to Improper Neutralization of Special Elements used in an SQL CommandβWith all good intentions, I had placed the Grafana team in a bit of a stressful situationβ, researcher admitsEnterprises will see improved access to data and more relevant insights that will enable them to further strengthen their cybersecurity postures.Scholarships are part of an effort to bridge the cybersecurity workforce gap.Solution secures cloud-to-Internet, cloud-to-cloud, cloud-to-data center, and intra-cloud communications.Investment aims to accelerate growth through continued product innovation and global expansion.Scholarship's goal is to advance women in cybersecurity, risk, and privacy.Fraud awareness training is just the beginning.Multiple questions remain about July data breachAn attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.A path traversal attack in web interfaces of Netgear RAX35, RAX38, and RAX40 routers before v1.0.4.102, allows a remote unauthenticated attacker to gain access to sensitive restricted information, such as forbidden files of the web application, via sending a specially crafted HTTP packet.The powerful devices leveraged by the Meris botnet have weaknesses that make them easy to exploit, yet complex for organizations to track and secure, researchers said.Free-to-use feature can help users gauge whether the CRS protects against payloadsThe latest integration furthers the companyβs mission to provide an unmatched security model for businesses, without adding complexity for users.Attackers can capitalize on a feature in Outlook that makes spoofed messages appear legitimate, says email security provider Avanan.An unauthenticated command injection vulnerability exists in the parameters of operation 48 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999.Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue.An unauthenticated command injection vulnerability exists in the parameters of operation 41 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999.An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.An authentication bypass (account takeover) vulnerability exists in Premiumdatingscript 4.2.7.7 due to a weak password reset mechanism in requests\user.php.Cross Site Scripting (XSS) vulnerability in McAfee Network Security Manager (NSM) prior to 10.1 Minor 7 allows a remote authenticated administrator to embed a XSS in the administrator interface via specially crafted custom rules containing HTML. NSM did not correctly sanitize custom rule content in all scenarios.An authentication bypass vulnerability exists in the get_aes_key_info_by_packetid() function of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. Generic network sniffing can lead to password recovery. An attacker can sniff network traffic to trigger this vulnerability.An unauthenticated command injection vulnerability exists in the parameters of operation 3 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999.An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, the ssh key could be used to login to the development server hosted in Amazon Web Services.An unauthenticated command injection vulnerability exists in the parameters of operation 10 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999.An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower routerΓ’β¬β’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the web interface.A command execution vulnerability exists in the wifi_country_code_update functionality of the home_security binary of Anker Eufy Homebase 2 2.1.6.9h. A specially-crafted set of network packets can lead to arbitrary command execution.An unauthenticated command injection vulnerability exists in the parameters of operation 49 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999.An Incorrect Access Control vulnerability exists in Premiumdatingscript 4.2.7.7 via the password change procedure in requests\user.php.Gryphon Tower routers contain an unprotected openvpn configuration file which can grant attackers access to the Gryphon homebound VPN network which exposes the LAN interfaces of other users' devices connected to the same service. An attacker could leverage this to make configuration changes to, or otherwise attack victims' devices as though they were on an adjacent network.A reflected cross-site scripting vulnerability exists in the url parameter of the /cgi-bin/luci/site_access/ page on the Gryphon Tower router's web interface. An attacker could exploit this issue by tricking a user into following a specially crafted link, granting the attacker javascript execution in the context of the victim's browser.An unauthenticated command injection vulnerability exists in the parameters of operation 32 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999.A reflected Cross Site Scripting (XSS) vulnerability exists in Premiumdatingscript 4.2.7.7 via the aerror_description parameter in assets/sources/instagram.php script.An SQL Injection vulnerability exists in Premiumdatingscript 4.2.7.7 via the ip parameter in connect.php. .Left unchecked, these attacks could have devastating effects on government and military secrets and jeopardize the software supply chain and the global economy.Listen now or read as an article! (Full transcript inside.)The number of new security flaws recorded by NIST has already surpassed the total for 2020, the fifth record-breaking year in a row.Need to lock down that Linux server so certain remote users can only access a specific directory and only for file upload and download purposes? Jack Wallen shows you how.Security experts say the first hours in a phishing page's life are the most dangerous for users.It's the first year of major holiday travel in the post-pandemic remote work world. Here's what businesses can do to protect themselves from elevated holiday cybersecurity risks.IBM Db2 9.7, 10.1, 10.5, 11.1, and 11.5 may be vulnerable to an Information Disclosure when using the LOAD utility as under certain circumstances the LOAD utility does not enforce directory restrictions. IBM X-Force ID: 199521.An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a local user to gain privileges due to allowing modification of columns of existing tasks. IBM X-Force ID: 210321.IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 could allow a user with DBADM authority to access other databases and read or modify files. IBM X-Force ID: 199914.IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1, and 11.5 is vulnerable to an information disclosure as a result of a connected user having indirect read access to a table where they are not authorized to select from. IBM X-Force ID: 210418.IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, 11.1, and 11.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available CPU resources. IBM X-Force ID: 211405.When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console.A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php.A Cross Site Scripting (XSS) exists in ZZZCMS V1.7.1 via an editfile action in save.php.Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch.An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.HackerOne study charts effects of digital transformation and cloud migrationRLBox can be used to protect web browsers and other software applications from vulnerabilities in subcomponents and libraries.pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')pimcore is vulnerable to Cross-Site Request Forgery (CSRF)The threat group, first identified in June, focuses solely on data exfiltration and subsequent extortion, and has already targeted 40 victims since September.Wide range of enterprise software impacted by CVSS 10-rated bugExploring ransomware and other data integrity risks from accelerated digital transformation in the wake of COVID-19.nfstream is a Python package providing fast, flexible, and expressive data structures designed to make working with online or offline network data both easy and intuitive. It aims to be the fundamental high-level building block for doing practical, real world network data analysis in Python. Additionally, it has the broader goal of becoming a common network data processing framework for researchers providing data reproducibility across experiments.An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may read a password file (with reversible passwords) from the device, which allows decoding of other users' passwords.An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may load customized firmware (because the bootloader does not verify that it is authentic), changing the behavior of the gateway.A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing attack.An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker (with knowledge of the protocol) to execute arbitrary code on the controller including overwriting firmware, adding/removing users, disabling the internal firewall, etc.Underground service promised to render malicious software fully undetectable by nearly every major antivirus providerCyberattackers are targeting security vulnerabilities in four plugins plus Epsilon themes, to assign themselves administrative accounts.Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j productThe Dark Reading editorial team, along with contributing writers and editors, share their favorite stories and memories of co-founder and editor-in-chief Tim Wilson, an influential editor and well-respected thought leader in the cybersecurity industry.Five things CIOs want from their CEOs, Google and Microsoft crack down on hackers, and how to prepare for forthcoming privacy laws - catch up on the infosec news of the week with the Friday Five!openwhyd is vulnerable to URL Redirection to Untrusted SiteWith more staff working remotely, identity, authentication, and access (IAA) has never been more important. Market forecasts, drivers and trends are explored.The Log4Shell vulnerability critically threatens anybody using the popular open-source Apache Struts framework and could lead to a βMini internet meltdown soonish.βScammers are using fake job listings to empty the wallets of young, hopeful victims looking to break into the gaming industry.IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker that gains service access to the FSP can read and write arbitrary host system memory through a series of carefully crafted service procedures. IBM X-Force ID: 210018.Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password.Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Comment Engine Pro plugin (versions <= 1.0), could be exploited by users with Editor or higher role.An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code.IBM PowerVM Hypervisor FW940, FW950, and FW1010 could allow an authenticated user to cause the system to crash using a specially crafted IBMi Hypervisor call. IBM X-Force ID: 210894.Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.A security vulnerability has been identified in HPE StoreServ Management Console (SSMC). An authenticated SSMC administrator could exploit the vulnerability to inject code and elevate their privilege in SSMC. The scope of this vulnerability is limited to SSMC. Note: The arrays being managed are not impacted by this vulnerability. This vulnerability impacts SSMC versions 3.4 GA to 3.8.1.Zip Slip vulnerability in Pluck-CMS Pluck 4.7.15 allows an attacker to upload specially crafted zip files, resulting in directory traversal and potentially arbitrary code execution.Malicious email attachments with macros are one of the most common ways hackers get in through the door. Huntress security researcher John Hammond discusses how threat hunters can fight back.Research from Kaspersky finds that a quarter of phishing sites are gone within 13 hours β how in the world can we catch and stop cyber criminals that move so quickly?HackerOne reports that hackers are reporting more bugs and earning bigger bounties, but is an increase in testing or an increase in software vulnerabilities the cause of the jump?snipe-it is vulnerable to Improper Access ControlMissing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.Remote Code Execution (RCE) vulnerability exists in MaxSite CMS v107.5 via the Documents page.All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.The package com.h2database:h2 from 0 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.In Pluck-4.7.15 admin background a remote command execution vulnerability exists when uploading files.OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and write files anywhere on the target system. The attack could be used to write files anywhere in the web root folder or outside, depending on the configuration of the system and the properly configured permission of the application server user. The attack requires an OpenOlat user account, an enabled REST API and the rights on a business object to call the vulnerable REST calls. The problem is fixed in version 15.5.12 and 16.0.5. There is a workaround available. The vulnerability requires the REST module to be enabled. Disabling the REST module or limiting the REST module via some firewall or web-server access rules to be accessed only be trusted systems will mitigate the risk.yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF)phpservermon is vulnerable to Improper Neutralization of CRLF SequencesThe move suggests the company didnβt comply with the hackers' ransom demandsCatch up on the biggest headlines of the week in just two minutesBetween 38,000 to 80,000 government employees might have been affected and potentially have had their data posted on the dark webLoujain al-Hathloul alleges three ex-NSA mercenaries hacked her phone in 2017 and passed sensitive information on to Saudi ArabiaThe acquisition will help Avast enhance its decentralized identity solutionsProduct harvests details from Active Directory without checking, say researchersEmployers can now automatically provide employees with a LastPass account through Googleβs directory integrationThe Russian government has blocked access to the project's website, and default Tor bridges are no longer workingUnsurprisingly, the vast majority take less than a second to crackThe partnership will see the two nations form a comprehensive strategy to share data that aligns with both domestic data sharing and protection frameworksTough email protection for Microsoft 365 thatβs simple to deploy, easy to manage and very affordableGoogle has confirmed that the glitch is affecting devices that have Microsoft Teams installedThe CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.Find out how to deal with the Log2Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. A sub-admin can read the cleartext Admin password via the fileName=../../etc/passwd substring.A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network packets) allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node.An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)The TCP Server module in toxcore before 0.2.8 doesn't free the TCP priority queue under certain conditions, which allows a remote attacker to exhaust the system's memory, causing a denial of service (DoS).An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring.Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring.Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors.The Like Button Rating ΓΒ’Γ’βΒ’ΓΒ₯ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issueThe User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issueThe Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injectionThe Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacksThe mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin through 2.7, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injectionThe Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowedfastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access.Insufficient Input Validation in the search functionality of Wordpress plugin Share-one-Drive prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacksThe Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.The SEO Booster WordPress plugin through 3.7 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to.The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacksThe WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injectionThe WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs.The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issuesThe User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashesThe Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowedThe Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URLThe WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low valuesThe NEX-Forms WordPress plugin through 7.9.4 does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issueInsufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacksThe ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update themSecurity flaw will be addressed in the next releaseIn a matter of days, a large-scale outage of cloud and other online services could cause $15 billion in losses.Left unchecked, these attacks could have devastating effects on government and military secrets and jeopardize the software supply chain and the global economy.A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations.The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. This is the cross platform package.Some tips for effectively combating Web supply chain attacks and customer hijacking via browser extensions.An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they importAn issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commandsIn all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.There is an information leak vulnerability in eCNS280_TD V100R005C10SPC650. The vulnerability is caused by improper log output management. An attacker with the ability to access the log file of device may lead to information disclosure.An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.There is a memory leak vulnerability in CloudEngine 12800 V200R019C00SPC800, CloudEngine 5800 V200R019C00SPC800, CloudEngine 6800 V200R019C00SPC800 and CloudEngine 7800 V200R019C00SPC800. The software does not sufficiently track and release allocated memory while parse a series of crafted binary messages, which could consume remaining memory. Successful exploit could cause memory exhaust.SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. An attacker can log in as an admin account of this system and can destroy, change or manipulate all sensitive information on the system.WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable to multiple stack-based buffer overflow instances while parsing project files, which may allow an attacker to execute arbitrary code.An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent.An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project membersAn issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack.Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.Directory traversal vulnerability in /admin/includes/* directory for PHPGURUKUL Employee Record Management System 1.2 The attacker can retrieve and download sensitive information from the vulnerable server.Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revokedImproper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2.An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on runner managerImproper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projectsMost targeted industry shifts from the financial and insurance sector in 2020.The opening marks the fifth center opened globally, fulfilling a key milestone within the Global Transparency Initiative.The cybersecurity Hiroshima of the year β the Apache Log4j logging library exploit β has spun off 60 bigger mutations in less than a day, researchers said.The Python code repository was infiltrated by malware bent on data exfiltration from developer apps and more.Analysts find at least 10 Linux botnets actively exploiting Log4Shell flaw.IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to obtain sensitive information, caused by the improper handling of requests for Spectrum Copy Data Management Admin Console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 214524.CPAN 2.28 allows Signature Verification Bypass.IBM Spectrum Copy Data Management 2.2.13 and earlier has weak authentication and password rules and incorrectly handles default credentials for the Spectrum Copy Data Management Admin console. IBM X-Force ID: 214957.The CPAN::Checksums package 2.12 for Perl does not uniquely define signed data.IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. IBM X-Force ID: 214523.IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum Copy Data Management Admin Console login and uploadcertificate function . A remote attacker could inject arbitrary shell commands which would be executed on the affected system. IBM X-Force ID: 214958.The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 211242.IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 214617.IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 214525.IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local attacker could exploit this vulnerability and cause a denial of service. IBM X-Force ID: 214438.Rizin is a UNIX-like reverse engineering framework and command-line toolset. In versions up to and including 0.3.1 there is a heap-based out of bounds write in parse_die() when reversing an AMD64 ELF binary with DWARF debug info. When a malicious AMD64 ELF binary is opened by a victim user, Rizin may crash or execute unintended actions. No workaround are known and users are advised to upgrade.IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and gain lower level privileges. IBM X-Force ID: 214439.IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 214616.A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an attacker to potentially execute code in the context of the affected process.The IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x server connection to an IBM Spectrum Protect Plus workload agent is subject to a man-in-the-middle attack due to improper certificate validation. IBM X-Force ID: 182046.Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected versions a reflected XSS vulnerability was found in Collabora Online. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time. Users should upgrade to Collabora Online 6.4.16 or higher or Collabora Online 4.2.20 or higher. Collabora Online Development Edition 21.11 is not affected.IBM i2 Analyst's Notebook 9.2.0, 9.2.1, and 9.2.2 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and gain lower level privileges. IBM X-Force ID: 214440.Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to version 1.7.4 to resolve this issue. If that is not possible, you can escape all places where `$property` is used to filter `sv:name` in the class `Jackalope\Transport\DoctrineDBAL\Query\QOMWalker`: `XPath::escape($property)`. Node names and xpaths can contain `"` or `;` according to the JCR specification. The jackalope component that translates the query object model into doctrine dbal queries does not properly escape the names and paths, so that a accordingly crafted node name can lead to an SQL injection. If queries are never done from user input, or if you validate the user input to not contain `;`, you are not affected.IBM Spectrum Protect Operations Center 7.1, under special configurations, could allow a local user to obtain highly sensitive information. IBM X-Force ID: 209610.IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a misconfiguration in access control headers. IBM X-Force ID: 214956.Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A successful attack would require an authenticated bad actor to create many Saved Searches or Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in version 3.33.2 and any future versions of Sourcegraph. We strongly encourage upgrading to secure versions. If you are unable to, you may disable Saved Searches and Code Monitors.More than 60 variants of the original exploit were introduced over the last day alone.Government actions help starve attack groups of the resources - money, ability to recruit, and time.A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php.Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error in values that represent negative values for 32 bit signed integers. Smart contracts that ask for shifts between approximately 2 billion and 4 billion bits (nonsensical but valid values for the operation) will fail to execute and hence fail to validate. In networks where vulnerable versions are mining with other clients or non-vulnerable versions this will result in a fork and the relevant transactions will not be included in the fork. In networks where vulnerable versions are not mining (such as Rinkeby) no fork will result and the validator nodes will stop accepting blocks. In networks where only vulnerable versions are mining the relevant transaction will not be included in any blocks. When the network adds a non-vulnerable version the network will act as in the first case. Besu 21.10.2 contains a patch for this issue. Besu 21.7.4 is not vulnerable and clients can roll back to that version. There is a workaround available: Once a transaction with the relevant shift operations is included in the canonical chain, the only remediation is to make sure all nodes are on non-vulnerable versions.Kronos, the workforce-management provider, said a weeks-long outage of its cloud services is in the offing, just in time to hamstring end-of-year HR activities like bonuses ands vacation tracking.Every high-profile breach leaves a trail of bread crumbs, and defenders who monitor access brokers can connect the dots and detect attacks as they unfold.Find out how to deal with the Log2Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!Get 'em while they're hot!A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication service. This could allow an unauthenticated remote attacker to trigger several actions on behalf of valid user accounts.A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). JTTK library in affected products is vulnerable to stack based buffer overflow while parsing specially crafted JT files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-14903)A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing TIFF files. An attacker could leverage this vulnerability to leak information in the context of the current process.A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll contains an out of bounds write past the end of an allocated structure while parsing specially crafted TIFF files. This could allow an attacker to execute code in the context of the current process.A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Image.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing specially crafted TIF files. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-15111)A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The VCRUNTIME140.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing specially crafted CGM files. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-15109)A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). JTTK library in affected products contains an out of bounds write past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-14913)A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Jt1001.dll is vulnerable to an out of bounds read past the end of an allocated buffer while parsing specially crafted JT files. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-15101)A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll is vulnerable to use of uninitialized memory while parsing user supplied TIFF files. This could allow an attacker to cause a denial-of-service condition.A vulnerability has been identified in JT Utilities (All versions < V13.0.3.0), JTTK (All versions < V11.0.3.0). JTTK library in affected products contains an out of bounds write past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-14828, ZDI-CAN-14898)A vulnerability has been identified in JT Utilities (All versions < V13.0.3.0), JTTK (All versions < V11.0.3.0). JTTK library in affected products is vulnerable to an out of bounds read past the end of an allocated buffer when parsing JT files. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-14843, ZDI-CAN-15051)A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This could allow an unauthenticated remote attacker to subscribe to arbitrary message queues.A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). JTTK library in affected products is vulnerable to an out of bounds read past the end of an allocated buffer when parsing specially crafted JT files. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-14841)A vulnerability has been identified in JT Utilities (All versions < V13.1.1.0), JTTK (All versions < V11.1.1.0). JTTK library in affected products contains an out of bounds write past the fixed-length heap-based buffer while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-15054)A vulnerability has been identified in JT Utilities (All versions < V12.8.1.1), JTTK (All versions < V10.8.1.1). JTTK library in affected products contains an out of bounds write past the end of an allocated structure while parsing specially crafted JT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-14830)JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing TIFF files. An attacker could leverage this vulnerability to leak information in the context of the current process.A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll contains an off-by-one error in the heap while parsing specially crafted TIFF files. This could allow an attacker to cause a denial-of-service condition.A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Jt1001.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing specially crafted JT files. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-15102)A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database. This could allow an unauthenticated remote attacker to read, modify or delete activity feed entries.The focused attacks aimed at cyberespionage and lateral movement appear to hint at further ambitions by the group, including supply-chain threats.Attackers could read and write arbitrary files to a deviceβs hard driveOne volley of fake news may land, but properly trained AI can shut down similar attempts at their sources.There is an upload sql injection vulnerability in the background of taocms 3.0.2 in parameter id:action=cms&ctrl=update&id=26The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.taocms 3.0.2 is vulnerable to arbitrary file deletion via taocms\include\Model\file.php from line 60 to line 72.An issue was discovered in Cuppa CMS Versions Before 31 Jan 2021 allows authenticated attackers to gain escalated privileges via a crafted POST request using the user_group_id_field parameter.glFusion CMS v1.7.9 is affected by an arbitrary user impersonation vulnerability in /public_html/comment.php. The attacker can complete the attack remotely without interaction.Sysaid API User Enumeration - Attacker sending requests to specific api path without any authorization before 21.3.60 version could get users names from the LDAP server.glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.Two packages lay undiscovered for 10 monthsLog4j is a serious vulnerability that has swept across the IT landscape quickly. Here's a single command you can run to test and see if you have any vulnerable packages installed.SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - version 420, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. This allows a low privileged attacker to retrieve some data from the victim but will never be able to modify the document and publish these modifications to the server. It impacts the "Quick Prompt" workflow.When a user opens a manipulated GIF (.gif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.SAP Business One - version 10.0, allows an admin user to view DB password in plain text over the network, which should otherwise be encrypted. For an attacker to discover vulnerable function in-depth application knowledge is required, but once exploited the attacker may be able to completely compromise confidentiality, integrity, and availability of the application.The link-list-manager WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category parameter found in the ~/llm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.Rapid7 Insight Agent, versions 3.0.1 to 3.1.2.34, suffer from a local privilege escalation due to an uncontrolled DLL search path. Specifically, when Insight Agent versions 3.0.1 to 3.1.2.34 start, the Python interpreter attempts to load python3.dll at "C:\DLLs\python3.dll," which normally is writable by locally authenticated users. Because of this, a malicious local user could use Insight Agent's startup conditions to elevate to SYSTEM privileges. This issue was fixed in Rapid7 Insight Agent 3.1.2.35. This vulnerability is a regression of CVE-2019-5629.An issue was discovered in Listary through 6. When Listary is configured as admin, Listary will not ask for permissions again if a user tries to access files on the system from Listary itself (it will bypass UAC protection; there is no privilege validation of the current user that runs via Listary).dbeaver is vulnerable to Improper Restriction of XML External Entity ReferenceThe True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file.yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php.If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 values.The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability.The duoFAQ - Responsive, Flat, Simple FAQ WordPess plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/duogeek/duogeek-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.8.SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server.Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.The Magic Post Voice WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the ids parameter found in the ~/inc/admin/main.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6.When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the applicationPodcast: Cybereason shares details about its vaccine: a fast shot in the arm released within hours of the Apache Log4j zero-day horror show being disclosed.An exclusive roundtable of security researchers discuss the specific implications of CVE-2021-44228 for smaller businesses, including what's vulnerable, what an attack looks like and to how to remediate.Dashlane's sixth annual list of the year's worst password offenders reveals the biggest password security mishaps for 2021.Companies must attempt to divert cybercriminals without inconveniencing or possibly exposing customers and their data. One expert explains how it's possible.Source code is a corporate asset like any other, which makes it an attractive target for hackers.UiPath Assistant 21.4.4 will load and execute attacker controlled data from the file path supplied to the --dev-widget argument of the URI handler for uipath-assistant://. This allows an attacker to execute code on a victim's machine or capture NTLM credentials by supplying a networked or WebDAV file path.IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when SharedBindingsUserId is set to effective. IBM X-ForceID: 211404.Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store sensitive information, which might be revealed in a backup. The issue is addressed by ensuring that the allowBackup flag (in the manifest) is False.A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application.An issue was discovered in UiPath App Studio 21.4.4. There is a persistent XSS vulnerability in the file-upload functionality for uploading icons when attempting to create new Apps. An attacker with minimal privileges in the application can build their own App and upload a malicious file containing an XSS payload, by uploading an arbitrary file and modifying the MIME type in a subsequent HTTP request. This then allows the file to be stored and retrieved from the server by other users in the same organization.Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. The vulnerability allows attackers to craft links or forms which may change the server state. This issue is fixed in Opencast 9.10 and 10.0. You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.You can send your career soaring by learning highly paid skills online from over 1,000 courses without worrying about security, and enjoy a bit of extra gaming during your breaks.The accounting firm PricewatersCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland's public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousand of outdated Windows 7 systems, and that the health system's IT administrators failed to respond to multiple warning signs that a massive attack was imminent.The new campaign masqueraded as an Orange Telecom account management app to deliver the latest iteration of Anubis banking malware.While looking for additional Exchange vulnerabilities in the wake of this year's zero-days, Kaspersky found an IIS add-on that harvests credentials from OWA whenever, and wherever, someone logs in.A vulnerability was discovered in the Keybase Client for Windows before version 5.6.0 when a user executed the "keybase git lfs-config" command on the command-line. In versions prior to 5.6.0, a malicious actor with write access to a userΓ’β¬β’s Git repository could leverage this vulnerability to potentially execute arbitrary Windows commands on a userΓ’β¬β’s local system.Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chatΓ’β¬β’s Γ’β¬Εlink previewΓ’β¬οΏ½ functionality. In versions prior to 5.7.3, if a user were to enable the chatΓ’β¬β’s Γ’β¬Εlink previewΓ’β¬οΏ½ feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.7.7 PatrowlManager unrestrictly handle upload files in the findings import feature. This vulnerability is capable of uploading dangerous type of file to server leading to XSS attacks and potentially other forms of code injection. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds for this issue.Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve performance, the token is cached in memory in seaf-server. Upon receiving a token from sync client or SeaDrive client, the server checks whether the token exist in the cache. However, if the token exists in cache, the server doesn't check whether it's associated with the specific library in the URL. This vulnerability makes it possible to use any valid sync token to access data from any **known** library. Note that the attacker has to first find out the ID of a library which it has no access to. The library ID is a random UUID, which is not possible to be guessed. There are no workarounds for this issue.Cross-site scripting (XSS) vulnerability in /application/controller/admin/theme.php in LimeSurvey 3.6.2+180406 allows remote attackers to inject arbitrary web script or HTML via the changes_cp parameter to the index.php/admin/themes/sa/templatesavechanges URI.The Spotfire Server component of TIBCO Software Inc.'s TIBCO Spotfire Server, TIBCO Spotfire Server, and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows malicious custom API clients with network access to execute internal API operations outside of the scope of those granted to it. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Server: versions 10.10.6 and below, TIBCO Spotfire Server: versions 11.0.0, 11.1.0, 11.2.0, 11.3.0, 11.4.0, and 11.4.1, and TIBCO Spotfire Server: versions 11.5.0 and 11.6.0.PatrOwl is a free and open-source solution for orchestrating Security Operations. In versions prior to 1.77 an improper privilege management (IDOR) has been found in PatrowlManager. All imports findings file is placed under /media/imports/<owner_id>/<tmp_file> In that, owner_id is predictable and tmp_file is in format of import_<ownder_id>_<time_created>, for example: import_1_1639213059582.json This filename is predictable and allows anyone without logging in to download all finding import files This vulnerability is capable of allowing unlogged in users to download all finding imports file. Users are advised to update to 1.7.7 as soon as possible. There are no known workarounds.OpenProject is a web-based project management software. OpenProject versions >= 12.0.0 are vulnerable to a SQL injection in the budgets module. For authenticated users with the "Edit budgets" permission, the request to reassign work packages to another budget unsufficiently sanitizes user input in the `reassign_to_id` parameter. The vulnerability has been fixed in version 12.0.4. Versions prior to 12.0.0 are not affected. If you're upgrading from an older version, ensure you are upgrading to at least version 12.0.4. If you are unable to upgrade in a timely fashion, the following patch can be applied: https://github.com/opf/openproject/pull/9983.patchglFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist.A Remote Code Execution (RCE) vulnerability exists in emlog 5.3.1 via content/plugins.Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).The December rollout includes 67 security patches and addresses one zero-day and five more publicly known vulnerabilities.December's Patch Tuesday updates address six publicly known bugs and seven critical security vulnerabilities.The attack forced a shutdown of computer systems and websites for Virginia legislative agencies and commissions, reports state.Security professionals are burning out from handling too many tools and facing a growing number of threats, and more than 40% see lack of leadership as the main problem.Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that that is already being actively exploited. But this month's Patch Tuesday is being overshadowed by the "Log4Shell" 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.glFusion CMS 1.7.9 is affected by a Cross Site Request Forgery (CSRF) vulnerability in /public_html/admin/plugins/bad_behavior2/blacklist.php. Using the CSRF vulnerability to trick the administrator to click, an attacker can add a blacklist.North America-based Superior Plus "temporarily disabled" some of its systems in the wake of the attack.It took just 15 seconds to hack the latest, greatest, shiniest iPhone 13 Pro on stage at the Tianfu Cup in October, using a now-fixed iOS kernel bug.Qubes OS defines itself modestly as "a reasonably secure operating system." It might actually be one of the safest operating systems, often used by pros who are most concerned with computer security.Amid the increase in Log4J attack activity, at least one Iranian state-backed threat group is preparing to target the vulnerability, experts say.Google Survey of 1,000 U.S. consumers uncovers data privacy disconnect, a call to action for businesses.Automates security policy design to ensure compliance and reduce likelihood of breach announcing significant updates to other marketplace apps.If 2021 was the Year of Supply Chain Pain, 2022 will be the Year of Supply Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key [β¦]discourse-footnote is a library providing footnotes for posts in Discourse. ### Impact When posting an inline footnote wrapped in `<a>` tags (e.g. `<a>^[footnote]</a>`, the resulting rendered HTML would include a nested `<a>`, which is stripped by Nokogiri because it is not valid. This then caused a javascript error on topic pages because we were looking for an `<a>` element inside the footnote reference span and getting its ID, and because it did not exist we got a null reference error in javascript. Users are advised to update to version 0.2. As a workaround editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel can mitigate this issue.Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.Commentary: Those searching for a single cause for the Log4j vulnerability β whether it's open source is not secure, or open source is not sustainable β are getting it wrong. It's a complicated issue.Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apacheβs blanket of a quickly baked patch for Log4Shell also has holes.Kryptowireβs end-to-end cybersecurity engine identified vulnerabilities granting system user-level privileges for arbitrary shell script execution.yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.Cloud security is a shared responsibility. which sometimes leads to security gaps and complexity in risk management.OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.Initiative will also invite selected security researchers to a live hacking eventThe way to improve the security of the modern software development life cycle and reduce the number of application-based breaches is to re-center app security around the needs of developers.Initial, βincompleteβ patch created path to denial-of-service attacksFor anyone looking to gain an extra layer of privacy on a desktop or laptop, Kodachi Linux might be the perfect option. Jack Wallen highlights this live Linux distribution.The attack has led to an outage expected to last weeks, leaving companies scrambling to make payroll with the holidays right around the corner.This utility looks for log4j in the currently running JVM. It is useful for systems that allow plugins to introduce their own jars. Therefore, you can find if someone is using log4j with a dangerous version.Windows Setup Elevation of Privilege VulnerabilityWindows Encrypting File System (EFS) Elevation of Privilege VulnerabilityStorage Spaces Controller Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43235.ASP.NET Core and Visual Studio Elevation of Privilege VulnerabilityVisual Studio Code WSL Extension Remote Code Execution VulnerabilityWindows Print Spooler Elevation of Privilege VulnerabilityMicrosoft BizTalk ESB Toolkit Spoofing VulnerabilityVP9 Video Extensions Information Disclosure VulnerabilityVisual Studio Code Spoofing VulnerabilityMicrosoft Defender for IOT Elevation of Privilege VulnerabilityMicrosoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42311, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43882.Microsoft Local Security Authority Server (lsasrv) Information Disclosure VulnerabilityLychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The function exit will terminate the script and print the message to the user. The message will contain albumID which is controlled by the user.Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-43242.Microsoft Excel Remote Code Execution VulnerabilityMicrosoft Office app Remote Code Execution VulnerabilityIn StackStorm versions prior to 3.6.0, the jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands. Jinja does not enable sandboxed mode by default due to backwards compatibility. Stackstorm now sets sandboxed mode for jinja by default.NTFS Set Short Name Elevation of Privilege VulnerabilityTeeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.Microsoft Message Queuing Information Disclosure Vulnerability This CVE ID is unique from CVE-2021-43236.Windows Digital Media Receiver Elevation of Privilege VulnerabilityWindows TCP/IP Driver Elevation of Privilege VulnerabilityWindows Installer Elevation of Privilege VulnerabilityWindows Remote Access Elevation of Privilege VulnerabilityMicrosoft Defender for IoT Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-41365, CVE-2021-42310, CVE-2021-42311, CVE-2021-42313, CVE-2021-42314, CVE-2021-42315, CVE-2021-43889.Microsoft 4K Wireless Display Adapter Remote Code Execution VulnerabilityVisual Studio Code Remote Code Execution VulnerabilityWindows AppX Installer Spoofing VulnerabilityWindows Hyper-V Denial of Service VulnerabilityOnline Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.Microsoft PowerShell Spoofing VulnerabilityMicrosoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-42320.Windows Digital TV Tuner Elevation of Privilege VulnerabilityWindows Recovery Environment Agent Elevation of Privilege VulnerabilityMicrosoft Defender for IoT Information Disclosure VulnerabilityClean up and damage assessment underwaySASE is a promising and burgeoning networking architecture approach, but it's not without some challenges.With access to a user's 3D model and full-body digital tracking, attackers can recreate the perfect replica of a C-level executive to trick employees.IP theft can have a long term damaging effects on a company. In this blog, we look at nearly 50 different examples of IP theft to help you better understand the threat.A Broken or Risky Cryptographic Algorithm exists in AnonAddy 0.8.5 via VerificationController.php.SAPβs still feverishly working to patch another 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some rated at 9.9 criticality."Owowa" stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made.As cybercriminals scan for susceptible servers, there are steps you can take to mitigate the Log4j critical vulnerability.Cloud-native platform automates prevention, detection, and response to cyberattacks.Combined capabilities will help clients address the growing complexity of securing public, private and hybrid cloud, 5G, IoT, and industrial control systemsThe early lessons from Log4j indicate that key security principles can help better handle these high-risk software supply chain security incidents if teams have proper support.Scraping bugs and scraped databases are two new areas of research for the company's bug-bounty and data-bounty programs.Initial access brokers are cybercriminals who specialize in breaching companies and then selling the access to ransomware attackers. Learn how to protect your business from IABs.In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-196970023In getAlias of BluetoothDevice.java, there is a possible way to create misleading permission dialogs due to missing data filtering. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-180747689In checkExistsAndEnforceCannotModifyImmutablyRestrictedPermission of PermissionManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-186404356In sec_ts_parsing_cmds of (TBD), there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-194499021References: N/AIn TBD of fvp.c, there is a possible way to glitch CPU behavior due to a missing permission check. This could lead to local escalation of privilege with physical access to device internals with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-198291476References: N/AIn getConfiguredNetworks of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-197749180In periodic_io_work_func of lwis_periodic_io.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-195607566References: N/AIn code generated by BuildParcelFields of generate_cpp.cpp, there is a possible way for a crafted parcelable to reveal uninitialized memory of a target process due to uninitialized data. This could lead to local information disclosure across Binder transactions with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-198346478In hasManageOngoingCallsPermission of TelecomServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-194105812BMC firmware (IBM Power System S821LC Server (8001-12C) OP825.50) configuration changed to allow an authenticated user to open an insecure communication channel which could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 205267.In several functions of DatabaseManager.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-183961974Product: AndroidVersions: Android kernelAndroid ID: A-195580473References: N/AIn setClientStateLocked of SurfaceFlinger.cpp, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-193034677In C2SoftMP3::process() of C2SoftMp3Dec.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-193363621In rw_t4t_sm_detect_ndef of rw_t4t.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure due to a limited change in behavior based on the out of bounds data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191444150In NotificationAccessActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-182808318In valid_ipc_dram_addr of cm_access_control.c, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-197966306References: N/AIn getMimeGroup of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-184745603In enqueueNotificationInternal of NotificationManagerService.java, there is a possible way to run a foreground service without showing a notification due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191981182In onCreate of RequestIgnoreBatteryOptimizations.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-195963373In PVInitVideoEncoder of mp4enc_api.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-190435883In __configfs_open_file of file.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-174049066References: Upstream kernelIn getLaunchedFromUid and getLaunchedFromPackage of ActivityClientController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191954233In onCreate of BluetoothPairingSelectionFragment.java, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-182810085Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.In the broadcast definition in AndroidManifest.xml, there is a possible way to set the A2DP bluetooth device connection state due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-196858999In ActivityThread.java, there is a possible way to collide the content provider's authorities. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-197647956In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192587406In synchronous_process_io_entries of lwis_ioctl.c, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-195731663References: N/AThruk 2.40-2 allows stored XSS.In snoozeNotification of NotificationListenerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-195111725In isFileUri of UriUtil.java, there is a possible way to bypass ignoring file://URI attachment due to improper handling of case sensitivity. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-197328178In getDeviceIdWithFeature of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-186530889In MPEG4Source::read of MPEG4Extractor.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-188893559In AdapterService and GattService definition of AndroidManifest.xml, there is a possible way to disable bluetooth connection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-182583850In update of km_compat.cpp, there is a possible loss of potentially sensitive data due to a logic error in the code. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-200041882In (TBD) of (TBD), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-169763055References: N/AIn addSubInfo of SubscriptionController.java, there is a possible way to force the user to make a factory reset due to a logic error in the code. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-197327688In showNotification of NavigationModeController.java, there is a possible confused deputy due to an unsafe PendingIntent. This could lead to local escalation of privilege that allows actions performed as the System UI with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-173025705bookstack is vulnerable to Improper Access ControlIn createOrUpdate of Permission.java, there is a possible way to gain internal permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-195338390In onNullBinding of ManagedServices.java, there is a possible permission bypass due to an incorrectly unbound service. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-192475653