Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens. This permits an attacker who recognised an HTTP-based Canaryt…
Category: Vulnerabilities
Vulnerabilities
CVE-2022-2229
by National Vulnerability Database •
An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public project…
Vulnerabilities
CVE-2022-1963
by National Vulnerability Database •
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authent…
Vulnerabilities
CVE-2022-1999
by National Vulnerability Database •
An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description.
Vulnerabilities
CVE-2022-2228
by National Vulnerability Database •
Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restr…
Vulnerabilities
CVE-2022-2270
by National Vulnerability Database •
An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect perm…
Vulnerabilities
CVE-2022-1981
by National Vulnerability Database •
An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, t…
Vulnerabilities
CVE-2022-2254
by National Vulnerability Database •
A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 can store a script that could impact other logged in users.
Vulnerabilities
CVE-2022-2244
by National Vulnerability Database •
An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project’s error tracking feature.
Vulnerabilities
CVE-2022-2243
by National Vulnerability Database •
An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects.
Vulnerabilities
CVE-2022-2235
by National Vulnerability Database •
Insufficient sanitization in GitLab EE’s external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously c…
Vulnerabilities
CVE-2022-2230
by National Vulnerability Database •
A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLa…
Vulnerabilities
CVE-2022-2227
by National Vulnerability Database •
Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data …
Vulnerabilities
CVE-2022-2185
by National Vulnerability Database •
A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where it was possible for an unauthorised user to execute arbitrary code on the server using the p…
Vulnerabilities
CVE-2022-1983
by National Vulnerability Database •
Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to …
Vulnerabilities
CVE-2022-2250
by National Vulnerability Database •
An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to redirect users to an arbitrary location if they trust the URL.
Vulnerabilities
CVE-2022-2281
by National Vulnerability Database •
An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases.
Vulnerabilities
CVE-2022-2253
by National Vulnerability Database •
A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server.
Europe, Exploits, North America, Vulnerabilities
awsEnum – Enumerate AWS Cloud Resources Based On Provided Credential
by haxf4rall2017 •
Enumrate AWS services! with no nosies awsEnum is a python script enumrate AWS services through the provided credential. ▄▄▄▄▄▄ ▄…
The post awsEnum – Enumerate AWS Cloud Resources Based On Provided Credential appeared first on Haxf4rall.
…
Vulnerabilities
CVE-2014-3650
by National Vulnerability Database •
Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input.
Vulnerabilities
CVE-2014-3648
by National Vulnerability Database •
The simplepush server iterates through the application installations and pushes a notification to the server provided by deviceToken. But this is user controlled. If a bogus applications is registered with bad deviceTokens, one can generate endless exc…
Vulnerabilities
CVE-2022-2282
by National Vulnerability Database •
Improper Authorization in GitHub repository saltstack/salt prior to 3004.2.
Europe, Global Security News, North America, Vulnerabilities
This Week in Malware—Python Cryptominers, 345 Dependency Confusion Packages
by Ax Sharma •
This Week in Malware, highlights include an influx of hundreds of dependency confusion packages with diverse targets and a ‘python-dateutils’ PyPI package that attempts to typosquat the vastly known Python module, dateutil.
The post This Week in …
Europe, Global Security News, North America, Vulnerabilities
Using AI/ML to Secure the Hybrid Workforce
by Sue Poremba •
First, workplaces went fully remote to keep business operations running during the COVID-19 pandemic. Now, as the pandemic is easing into endemic, organizations are asking their employees to return to their offices. Many workers are choosing a hybrid …
Vulnerabilities
CVE-2022-33103
by National Vulnerability Database •
Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir().
Vulnerabilities
CVE-2022-33099
by National Vulnerability Database •
An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.
Vulnerabilities
CVE-2022-2264
by National Vulnerability Database •
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
Global Security News, Vulnerabilities
Google: Half of 2022’s Zero-Days Are Variants of Previous Vulnerabilities
by Ionut Arghire •
Google Project Zero has observed a total of 18 exploited zero-day vulnerabilities in the first half of 2022, at least half of which exist because previous bugs were not properly addressed.
read more
Vulnerabilities
CVE-2022-34894
by National Vulnerability Database •
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
Vulnerabilities
CVE-2022-2280
by National Vulnerability Database •
Cross-site Scripting (XSS) – Stored in GitHub repository microweber/microweber prior to 1.2.19.
Vulnerabilities
CVE-2022-2279
by National Vulnerability Database •
NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.
Vulnerabilities
CVE-2022-2274
by National Vulnerability Database •
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption wil…
Vulnerabilities
ZDI-22-945: Parallels Access Agent Uncontrolled Search Path Element Privilege Escalation Vulnerability
by ZDI: Published Advisories •
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Vulnerabilities
ZDI-22-946: Parallels Access Agent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
by ZDI: Published Advisories •
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Vulnerabilities
ZDI-22-947: Parallels Access Agent Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability
by ZDI: Published Advisories •
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerabil…
Vulnerabilities
ZDI-22-948: Parallels Access Agent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
by ZDI: Published Advisories •
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerabil…
Vulnerabilities
CVE-2022-32988
by National Vulnerability Database •
Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files…
Vulnerabilities
CVE-2022-32295
by National Vulnerability Database •
On Ampere Altra and AltraMax devices before SRP 1.09, the the Altra reference design of UEFI accesses allows insecure access to SPI-NOR by the OS/hypervisor component.
Vulnerabilities
CVE-2022-27904
by National Vulnerability Database •
The Automox Agent installation package before 37 on macOS allows an unprivileged user to obtain root access because of incorrect access control on a file used within the PostInstall script.
Vulnerabilities
CVE-2021-32428
by National Vulnerability Database •
SQL Injection vulnerability in viaviwebtech Android EBook App (Books App, PDF, ePub, Online Book Reading, Download Books) 10 via the author_id parameter to api.php.