Exploit for Missing Authentication for Critical Function in F5 Big-Ip_Access_Policy_Manager

CVE-2022-1388 https://support.f5.com/csp/article/K23605346 T...

kernel security and bug fix update

4.18.0-348.23.15.OL8 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...

Security Bulletin: Vulnerability in SSLv3 affects IBM QRadar SIEM. (CVE-2014-3566)

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in IBM QRadar SIEM. Vulnerability Details CVE-ID: CVE-2014-3566 DESCRIPTION: Product could allow a remote attacker to obtain sensitive information...

Command injection

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP...

CVE-2021-4122

It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that...

GSD-2021-1002608 iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda

iio: adc: stm32: fix a current leak by resetting pcsel before disabling vdda This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.15.8 by commit...

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map MDC input data when the logging configuration uses a non-default Pattern Layout with either a Context...

CVE-2021-35978

An issue was discovered in Digi TransPort DR64, SR44 VC74, and WR. The ZING protocol allows arbitrary remote command execution with SUPER privileges. This allows an attacker with knowledge of the protocol to execute arbitrary code on the controller including overwriting firmware, adding/removing...

Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered...

CVE-2021-35534 Insufficient Security Control Vulnerability

Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal databas...

CVE-2021-25979

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account...

F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability

F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services...

CVE-2021-39879

Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication...

SUSE SLED12 / SLES12 Security Update : xerces-c (SUSE-SU-2021:2944-1)

The remote SUSE Linux SLED12 / SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:2944-1 advisory. - The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. Thi...

Cross site request forgery (csrf)

Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings...

CVE-2021-22922

A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into downloading malicious content. The highest threat from this vulnerability is to integrity...

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

✍️ Description Attacker able to disable any module with CSRF attack. It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application. In CSRF attacks...

Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy

✍️ Description CSRF bug when disabling notice 🕵️‍♂️ Proof of Concept no csrf token checking during enable/desable notice .\ Bellow request is vulnerable to csrf attack POST /index.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101...

Security Bulletin: Vulnerability in RC4 stream cipher affects IBM InfoSphere Optim Performance Manager (CVE-2015-2808)

Summary The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM InfoSphere Optim Performance Manager. Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker...

Cisco Nexus 9000 Series Fabric Switches ACI Mode Link Layer Discovery Protocol Port DoS (cisco-sa-apic-lldap-dos-WerV9CFj)

According to its self-reported version, Cisco NX-OS Software is affected by a denial of service DoS vulnerability. The vulnerability exists in the Link Layer Discovery Protocol LLDP due to incorrect processing of LLDP on packets on an SFP interface. An unauthenticated, adjacent attacker can explo...