PT-2022-21724 · Unknown +1 · Power Distribution Units +1

Name of the Vulnerable Software and Affected Versions: Power Distribution Units running on Powertek firmware versions prior to 3.30.30 Description: The issue concerns an insecure permissions setting on the user.token field, which is accessible through the "/cgi/get param.cgi" HTTP API endpoint...

Powertek PDU 安全漏洞

Powertek, a company that manufactures data center-grade intelligent PDUs power distribution units, or heavy-duty power cords for server racks, has an authentication bypass vulnerability that can be exploited by an attacker to bypass active session authorization checks. It can then be used to gain...

Powertek PDU 安全漏洞

Powertek is a company that manufactures data center-grade intelligent PDUs Power Distribution Units, i.e., heavy-duty power strips for server racks. The Powertek PDUs suffer from a buffer overflow vulnerability that can be exploited by an attacker to cause disclosure of the active session id of t...

PT-2022-21723 · Powertek +1 · Powertek +1

Name of the Vulnerable Software and Affected Versions: Power Distribution Units running on Powertek firmware versions prior to 3.30.30 Description: The issue allows remote authorization bypass in the web interface. An attacker can exploit this by sending an HTTP packet to the "cgi/get param.cgi"...

MakeMoney malvertising campaign adds fake update template

Malware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have tracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit. In this quick blog post, we will look at this ne...

The vulnerability of the integration module of the Cisco Firepower Threat Defense (FTD) intrusion detection system’s microprogramming software allows a intruder to trigger a service failure.

The vulnerability of the integration module of the Snort intrusion detection system for Cisco Firepower Threat Defense FTD involves unlimited distribution of resources. Exploiting this vulnerability allows a malicious actor to cause service interruptions by sending a series of specially crafted I...

Open-xchange OX App Suite Cross-Site Scripting Vulnerability (CNVD-2022-62757)

Open-xchange OX App Suite is a web-based cloud desktop environment from Open-Xchange Open-xchange, a US-based company. The environment allows users to more intuitively manage email, tasks, files, etc. A cross-site scripting vulnerability exists in Open-xchange OX App Suite 7.10.4 and prior...

Out-Of-Bounds Read

When GNOME Dia before 2019-11-27 is launched with a filename argument that is not a valid codepoint in the current encoding, it enters an endless loop, thus endlessly writing text to stdout. If this launch is from a thumbnailer service, this output will usually be written to disk via the system's...

Bribe Rewards Struck In Contract If Deposited During First Epoch

Lines of code Vulnerability details Vulnerability Details Bribe rewards added to the Bribe contract in the first epoch will not be claimable by any voters, and the rewards will struck in the Bribe contract. Proof-of-Concept Assume that the current epoch is epoch 0, and start date of epoch 0 is Da...

Gauge: Attacker can call notifyRewardAmount function to insert malicious token to prevent reward distribution

Lines of code Vulnerability details Impact The notifyRewardAmount function of the Gauge contract can be called by anyone, and can insert any token when rewards.length MAXREWARDTOKENS. And the notifyRewardAmount function of the Gauge contract will call the addRewardToken of the Bribe contract to a...

Malicious Package Via Repository Hijacking

hautelook/phpass was taken over as malicious package. The package repository was hijacked to tampered and used as a malware distribution vector after original account owner has deleted the account...

[SECURITY] [DSA 5145-1] lrzip security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5145-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 24, 2022 https://www.debian.org/security/faq -...

com.aiwiown:aiwiown-spring-cache (>=1.0.0 <=1.0.2-2.0.1), com.connexta.libera:libera (>=1.0.1 <=1.1.1) +101 more potentially affected by CVE-2020-8441 via org.jyaml:jyaml (=1.3)

org.jyaml:jyaml MAVEN version =1.3 is affected by a known vulnerability. The following packages have a transitive dependency on org.jyaml:jyaml and may be impacted: - com.aiwiown:aiwiown-spring-cache =1.0.0, =1.0.1, =1.0.0, =1.0.1, =0.1.3, =0.1.2, =0.1.2, =0.1.3, =0.1.3, =0.1.2, =0.1.2, =0.1.2,...

Jenkins Kubernetes CI/CD Plugin vulnerable to Credential Enumeration

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. Note: Jenkins has suspended distribution of this plugin...

Jenkins Kubernetes CI/CD Plugin vulnerable to Improper Authorization

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Note: Jenkins h...

CVE-2022-29237

Opencast exposes a cross-tenant access flaw: before versions 10.14 and 11.7, an attacker with full access to the ingest REST interface and knowledge of internal links could import files from another organization within the same multi-tenant cluster, bypassing organizational barriers. The issue is...

Users can grief reward distribution

Lines of code Vulnerability details Impact Users can grief reward distributions by spending dust Proof of Concept If a reward is targeted for an epoch in the past, a user can front-run the txn in the mempool and call addRewardToEpoch with a dust amount at an epoch after the one in question. This...

Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. "The spoofed sites were created to distribute malicious ISO files which lead to a Vida...

CVE-2022-22775

The Workspace client component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains difficult to exploit Reflected Cross Site Scripting XSS vulnerabilities that allow low privileged attackers with network access to execute scripts...

ai.grakn:grakn-dist (>=0.7.0 <=0.16.0), ai.grakn:grakn-test (=0.10.0) +94 more potentially affected by CVE-2015-3337 via org.elasticsearch:elasticsearch (>=1.5.0 <=1.5.1)

org.elasticsearch:elasticsearch MAVEN version =1.5.0, =0.7.0, =0.6.1, =0.11.0, =0.1.2, =1.0.0, =1.1, =1.5.0, =1.5.0, =0.9.0-M2, =1.0.0 and more Source cves: CVE-2015-3337 Source advisory: OSV:GHSA-X8Q8-4HP5-463W...