Multiple vulnerabilities in UNIMO Technology digital video recorders

Overview Multiple digital video recorders provided by UNIMO Technology Co., Ltd contain multiple vulnerabilities listed below. Improper Authentication CWE-287 - CVE-2022-44620 OS Command Injection CWE-78 - CVE-2022-44606 Hidden Functionality CWE-912 - CVE-2022-43464 The reporter states that attac...

PT-2022-27354 · Webtareas · Webtareas

Name of the Vulnerable Software and Affected Versions: webtareas version 2.4p5 Description: The issue is related to a cross-site scripting XSS vulnerability in the /contacts/listcontacts.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted...

FreeBSD : rpm4 -- Multiple Vulnerabilities (0c52abde-717b-11ed-98ca-40b034429ecf)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 0c52abde-717b-11ed-98ca-40b034429ecf advisory. - There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a...

SUSE-SU-2022:4279-1 Security update for systemd

This update for systemd fixes the following issues: - CVE-2022-3821: Fixed buffer overrun in formattimespan function bsc1204968. - Import commit 417bb0944e035969594fff83a3ab9c2ca9a56234 20743c1a44 logind: fix crash in logind on user-specified message string b971b5f085 tmpfiles: check the director...

PT-2022-26980 · Callback Technologies · Cbfs Filter

Name of the Vulnerable Software and Affected Versions: Callback technologies CBFS Filter version 20.0.8317 Description: A null pointer dereference issue exists in the handle ioctl 0x830a0 systembuffer functionality. This can be triggered by a specially crafted I/O request packet IRP, leading to...

Amasty Blog commenting feature cross-site scripting vulnerability

Amasty Blog is a web page extension of Amasty Inc. A cross-site scripting vulnerability exists in the commenting functionality of Amasty Blog Pro version 2.10.3, which can be exploited by attackers to inject cross-site code and launch XSS attacks...

GHSA-8JH9-WQPF-Q52C sweetalert2 v8.19.1 and above contains hidden functionality

sweetalert2 versions 8.19.1 and up until 9.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions below 8.19.1. Workaround Users who a...

GHSA-PG98-6V7F-2XFV sweetalert2 v9.17.4 and above contains hidden functionality

sweetalert2 versions 9.17.4 and up until 10.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 9.0.0 - 9.17.3. Workaround Users wh...

sweetalert2 v10.16.10 and above contains hidden functionality

sweetalert2 versions 10.16.10 and up until 11.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 10.0.0 - 10.16.9. Workaround Use ...

GHSA-457R-CQC8-9VJ9 sweetalert2 v10.16.10 and above contains hidden functionality

sweetalert2 versions 10.16.10 and up until 11.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 10.0.0 - 10.16.9. Workaround Use ...

GHSA-QQ6H-5G6J-Q3CM sweetalert2 v11.4.9 and above contains hidden functionality

sweetalert2 versions 11.4.9 and above are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 11.0.0 - 11.4.8. Workaround Use a version...

PT-2022-28188 · Unknown · Sweetalert2

Name of the Vulnerable Software and Affected Versions: sweetalert2 versions 10.16.10 through 11.0.0 Description: The issue concerns hidden functionality introduced by the maintainer, causing the package to output audio and/or video messages unrelated to its intended functionality. Recommendations...

CVE-2022-35500

Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting XSS via leave comment functionality...

CVE-2022-35500

CVE-2022-35500: Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via the leave comment functionality. Affected: Amasty Blog version 2.10.3. Root cause details are not explicitly provided in the documents, only the XSS via leave comment is stated. Remediation guidance from PT-2022-22...

CVE-2022-41952 Uncontrolled Resource Consumption in Matrix Synapse

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after maxspidersize default: 10M bytes have been downloaded, which can in some cases lead to...

CVE-2022-41952 Uncontrolled Resource Consumption in Matrix Synapse

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after maxspidersize default: 10M bytes have been downloaded, which can in some cases lead to...

Medium: Node runner whitelisting functionality is broken

Lines of code Vulnerability details Description isNodeRunnerWhitelisted manages whitelisting of nodeRunners. If whitelisting is enabled, this mapping is checked in isNodeRunnerValid: function isNodeRunnerValidaddress nodeRunner internal view returns bool requirenodeRunner != address0, "Zero...

Get a Loda This: LodaRAT meets new friends

LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta. Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild. Changes in these LodaRAT variants include new functionality allowing...

Cross site scripting

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

CVE-2022-4014

A vulnerability, which was classified as problematic, has been found in FeehiCMS. Affected by this issue is some unknown functionality of the component Post My Comment Tab. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The identifier of this...