Jeeng Push Notifications < 2.0.4 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Account ID"...

Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22476)

Summary Liberty for Java for IBM Cloud is vulnerable to identity spoofing with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature enabled. This has been addressed. Vulnerability Details CVEID:CVE-2022-22476 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0...

Security Bulletin: Potential spoofing attack in Liberty for Java (CVE-2020-4421)

Summary IBM WebSphere Application Server Liberty using openidConnectServer feature could allow spoofing identity by an authenticated user. This has been addressed. Vulnerability Details CVEID:CVE-2020-4421 DESCRIPTION: IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an...

Security Bulletin: Vulnerability in Apache CXF affects Liberty for Java for IBM Cloud(CVE-2019-12406)

Summary There is a denial of service in the Apache CXF library used by WebSphere Application Server. This has been addressed. Vulnerability Details CVEID:CVE-2019-12406 DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachment...

Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to a denial of service (CVE-2020-4590)

Summary There is a denial of service vulnerablility in IBM WebSphere Application Server Liberty used in Liberty for Java for IBM Cloud. Vulnerability Details CVEID:CVE-2020-4590 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or...

Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031)

Summary Liberty for Java for IBM Cloud is vulnerable to LDAP injection. This has been addressed. Vulnerability Details CVEID:CVE-2021-39031 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. B...

Security Bulletin: Vulnerability in Hibernate Validator affects Liberty for Java for IBM Cloud (CVE-2020-10693)

Summary There is a vulnerability in the Hibernate Validator library used by WebSphere Application Server Liberty. Vulnerability Details CVEID:CVE-2020-10693 DESCRIPTION: Hibernate Hibernate Validator could allow a remote attacker to bypass security restrictions, caused by a flaw in the message...

Security Bulletin: CVE-2019-2949 may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java

Summary CVE-2019-2949 was disclosed in the Oracle October 2019 Critical Patch Update Vulnerability Details CVEID:CVE-2019-2949 DESCRIPTION: An unspecified vulnerability in Java SE related to the Kerberos component could allow an unauthenticated attacker to obtain sensitive information resulting i...

Security Bulletin: A vulnerability may affect IBM® SDK, Java™ Technology Edition used in Liberty for Java for IBM Cloud (CVE-2020-2590)

Summary CVE-2020-2590 was disclosed in the Oracle January 2020 Critical Patch Update. Vulnerability Details CVEID:CVE-2020-2590 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact...

CVE-2022-39876

Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI...

CVE-2022-39870

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSHMESSAGERECEIVED broadcast...

CVE-2022-39870

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSHMESSAGERECEIVED broadcast...

SAMSUNG Mobile devices 安全漏洞

SAMSUNG Mobile devices are a range of Samsung mobile devices, including cell phones, tablets, etc. from the South Korean company Samsung SAMSUNG. A security vulnerability exists in SAMSUNG Mobile devices version 1.7.89.0, which stems from an improper access control vulnerability in...

Welcome to high tech hacking in 2022: Annoying users until they say "yes"

Last week we learned that ride-sharing giant Uber's defences had been unpicked by an attacker with a novel take on social engineering: Fatigue. Fatigue attacks play on the often repetitive nature of certain security procedures and failsafes. Do you hate having to punch in a password on your login...

Unbounded loop on array can lead to DoS

Lines of code Vulnerability details Description: As this array can grow quite large, the transaction’s gas cost could exceed the block gas limit and make it impossible to call this function at all a push exist but there's no pop in the solution, that means it will continuously only push which wil...

Secure Mail: not getting ios push notifications with Microsoft Intune

You have deployed Citrix Secure Mail via Microsoft Endpoint Manager for employees to access their on prem actyvesync mailboxes in iOS Users notice they are getting Calendar events but NOT email notifications Despite having properly configured Securemail settings in Microsoft Intune as per our...

CVE-2021-44720

In Ivanti Pulse Secure Pulse Connect Secure PCS before 9.1R12, the administrator password is stored in the HTML source code of the "Maintenance Push Configuration Targets Target Name" targets.cgi screen. A read-only administrative user can escalate to a read-write administrative role...

Malicious code in serverless-push-hasura (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f74c4c91c1908ee1ed2c1631d97fe6c08bd02fb55f30643d8097b9962881f49 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6024 Malicious code in serverless-push-hasura (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6f74c4c91c1908ee1ed2c1631d97fe6c08bd02fb55f30643d8097b9962881f49 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

July 19, 2022—KB5015879 (OS Build 20348.859) Preview

July 19, 2022—KB5015879 OS Build 20348.859 Preview For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out...