CVE-2022-21933

CVE-2022-21933 affects ASUS VivoMini/Mini PC and describes an improper input validation vulnerability. A local attacker with system privileges can trigger a System Management Interrupt (SMI) to modify memory, resulting in arbitrary code execution and potential control or disruption of the system....

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla security advisories for Firefox...

Security Bulletin: Vulnerability in Apache Log4j (CVE-2021-44228) affects Power HMC

Summary Log4j is used by IBM Power Hardware Management Console HMC for logging system/application events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading IBM Power Hardware Management Console HMC respective PTF and thus addressing the exposu...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 1.8 and IBM® Runtime Environment Java™ Version 1.8 used by Rational Functional Tester. Rational Functional Tester has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2021-35560 DESCRIPTION: An...

Security Bulletin: Log4JShell Vulnerability affects Watson Machine Learning in Cloud Pak for Data (CVE-2021-44228)

Summary Apache Log4j, used for logging in Watson Machine Learning in Cloud Pak for Data, is impacted by the Apache Log4j vulnerability CVE-2021-44228. Customers are encouraged to take quick action to update their systems. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could...

Security Bulletin: Vulnerabilities in Apache log4j2 (CVE-2021-4104, CVE-2021-44228, CVE-2021-45046) affect IBM Spectrum LSF Suite and IBM Spectrum LSF Suite for HPA

Summary There are vulnerabilities in Apache log4j2 used by IBM Spectrum LSF Suite and IBM Spectrum LSF Suite for HPA. IBM Spectrum LSF Suite and IBM Spectrum LSF Suite for HPA have addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2021-4104 DESCRIPTION: Apache Log4j could allow a...

CVE-2021-44164 Chain Sea Information Integration Co., Ltd ai chatbot system - Arbitrary File Upload

Chain Sea ai chatbot system’s file upload function has insufficient filtering for special characters in URLs, which allows a remote attacker to by-pass file type validation, upload malicious script and execute arbitrary code without authentication, in order to take control of the system or...

CVE-2021-44164

The CVE-2021-44164 entry concerns Chain Sea AI chatbot system; its file upload function lacks robust filtering for special URL characters, allowing bypass of file type validation and remote code execution without authentication. Impact is system take-over or service termination as described; conn...

The vulnerability of the Advanced Networking Option component of the Oracle Database Server allows a attacker to execute a “man-in-the-middle” attack and gain full control over the system.

The vulnerability of the Advanced Networking Option component of the Oracle Database Server management system is related to deficiencies in the authentication process. Exploiting this vulnerability could allow a malicious actor to carry out a “man-in-the-middle” attack and gain full control over...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Log4j

Summary Log4j is used by IBM Watson Discovery for IBM Cloud Pak for Data to log system events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading Watson Discovery and thus addressing the exposure to the log4j vulnerability. Vulnerability Detail...

Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Risk Manager (CVE-2021-44228)

Summary IBM Data Risk Manager IDRM 2.0.6.9 and earlier is impacted by Log4Shell CVE-2021-44228, through the use of Apache Log4j's JNDI logging feature. This vulnerability has been addressed in the updated version of IDRM 2.0.6.10. Please see remediation steps below to apply fix. All customers...

Adobe Releases Security Updates for Multiple Products

Adobe has released security updates to address vulnerabilities in multiple Adobe products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Adobe’s Security Bulletins and apply the necessary updates...

Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Mozilla security advisories for Firefox...

Sunnet eHRD Access Control Error Vulnerability

Sunnet eHRD is a talent management system from SunChat Technology, Taiwan, China. The system supports talent management and performance management, etc. Sunnet eHRD has an access control error vulnerability, which can be exploited by an attacker to access the account management page after...

CVE-2021-43359

Sunnet eHRD has broken access control vulnerability, which allows a remote attacker to access account management page after being authenticated as a general user, then perform privilege escalation to execute arbitrary code and control the system or interrupt services...

Input validation

Sunnet eHRD e-mail delivery task schedule’s serialization function has inadequate input object validation and restriction, which allows a post-authenticated remote attacker with database access privilege, to execute arbitrary code and control the system or interrupt services...

CVE-2021-43360

Sunnet eHRD is a talent management system from Sun Chat Technology. The CVE-2021-43360 vulnerability affects its e-mail delivery task schedule’s serialization function, where inadequate input object validation and restriction allows a post-authenticated remote attacker with database access privil...

CVE-2021-43359 Sunnet eHRD - Broken Access Control

Sunnet eHRD has broken access control vulnerability, which allows a remote attacker to access account management page after being authenticated as a general user, then perform privilege escalation to execute arbitrary code and control the system or interrupt services...

Cross site scripting

The “WPO365 | LOGIN” WordPress plugin up to and including version 15.3 by wpo365.com is vulnerable to a persistent Cross-Site Scripting XSS vulnerability also known as Stored or Second-Order XSS. Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data...

CVE-2021-42839

Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control the system or interrupt services...