CISA Warns of Actively Exploited Critical Oracle Fusion Middleware Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Monday added a critical flaw impacting Oracle Fusion Middleware to its Known Exploited Vulnerabilities KEV Catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 a...

PT-2022-6787 · Google +1 · Google Chrome +1

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 108.0.5359.71 Description: The issue is related to an uninitialized use in FFmpeg within Google Chrome, allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This is due...

PT-2022-25362 · WordPress · Appointment Hour Booking

Name of the Vulnerable Software and Affected Versions: Appointment Hour Booking plugin for WordPress versions up to, and including, 1.3.72 Description: The issue is related to a CAPTCHA bypass due to the use of an insufficiently strong hashing algorithm on the CAPTCHA secret. This secret is also...

PT-2022-22381 · Datadog +1 · Datadog +2

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 12.1 through 15.3.5 GitLab CE/EE versions 15.4 through 15.4.4 GitLab CE/EE versions 15.5 through 15.5.2 Description: An issue has been discovered in GitLab CE/EE. A malicious maintainer could exfiltrate a Datadog...

PT-2022-27229 · Typo3 · Femanager

Name of the Vulnerable Software and Affected Versions: femanager extension versions prior to 5.5.2 femanager extension versions 6.x prior to 6.3.3 femanager extension versions 7.x prior to 7.0.1 Description: The issue allows creation of frontend users in restricted groups if there is a usergroup...

CVE-2022-39323 SQL Injection on REST API in GLPI

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST usertoken. This issue has been patched, please...

PT-2022-24903 · Nextcloud +1 · Nextcloud Enterprise Server +3

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 23.0.10 and 24.0.6 Nextcloud Enterprise Server versions prior to 22.2.10, 23.0.10, and 24.0.6 Description: The issue allows a logged-in attacker to slow down the system by generating a lot of database/cpu...

PT-2022-22590 · Usermin · Usermin

Name of the Vulnerable Software and Affected Versions: Usermin versions prior to 1.851 Description: The issue allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module. Recommendations: For versions prior to 1.851, update to version 1.851 or...

Oracle WebCenter Portal Multiple Vulnerabilities (Oct 2022 CPU)

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the Oct 2022 Critical Patch Update CPU. It is, therefore, affected by multiple vulnerabilites: - Vulnerability in the Oracle Communications Convergence product of Oracle Communications Application...

Oracle Releases October 2022 Critical Patch Update

Oracle has released its Critical Patch Update for October 2022. This update addresses 366 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review Oracle’s...

Security Bulletin: The IBM® Engineering Lifecycle Management products recommendation for Java SE CVEs (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443)

Summary Oracle Java SE released list of CVEs and their corresponding patches in April Quarterly updates. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Products | Version ---|--- Jazz Foundation | CLM 6.0.6.1, CLM 6.0.6...

Oracle Critical Patch Update Advisory - October 2022

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches add...

KLA20010 Multiple vulnerabilities in Oracle VirtualBox

Multiple vulnerabilities were found in Oracle VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, obtain sensitive information, gain privileges. Below is a complete list of vulnerabilities: 1. A denial of service in Core can be exploited to cause denial of...

CVE-2022-41606

HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0...

CVE-2022-39274 Buffer Overflow in `ProcessRadioRxDone` in LoRaMac-node

LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function ProcessRadioRxDone...

Oracle Linux 7 : squid (ELSA-2022-6815)

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-6815 advisory. - Resolves: CVE-2021-28651 squid: Bug 5104: Memory leak in RFC 2169 response parsing 778 - Resolves: CVE-2021-28652 squid: Bug 5106: Broken cache manager URL...

Design/Logic Flaw

If folder security is misconfigured for Actian Zen PSQL BEFORE Patch Update 1 for Zen 15 SP1 v15.11.005, Patch Update 4 for Zen 15 v15.01.017, or Patch Update 5 for Zen 14 SP2 v14.21.022, it can allow an attacker with file read/write access to remove specific security files in order to reset the...

Security Bulletin: CVE-2021-35561 may affect IBM® SDK, Java™ Technology Edition for Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections

Summary CVE-2021-35561 was disclosed as part of the Oracle October 2021 Critical Patch Update. Vulnerability Details CVEID:CVE-2021-35561 DESCRIPTION: An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service...

Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java™ Technology Edition

Abstract Issues disclosed in the Oracle October 2013 Java SE Critical Patch Update, plus 6 additional vulnerabilities Content VULNERABILITY DETAILS: CVE IDs: CVE-2013-5456 CVE-2013-5457 CVE-2013-5458 CVE-2013-4041 CVE-2013-5375 CVE-2013-5372 CVE-2013-5843 CVE-2013-5789 CVE-2013-5830 CVE-2013-5829...

Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server October 2013 CPU

Abstract Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server Content The IBM WebSphere Application Server is shipped with an IBM SDK for Java that is based on the Oracle JDK. Oracle has released October 2013 critical patch updates...