PT-2022-5915 · Linux +3 · Linux Kernel +3

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.16-rc6 Description: The issue is related to the lkdtm ARRAY BOUNDS function in the drivers/misc/lkdtm/bugs.c module of the Linux kernel. It lacks a check of the return value of kmalloc and will cause a null...

Are Fake COVID Testing Sites Harvesting Data?

Over the past few weeks, Ive seen a bunch of writing about what seems to be fake COVID-19 testing sites. They take your name and info, and do a nose swab, but you never get test results. Speculation centered around data harvesting, but that didnt make sense because it was far too labor intensive...

The Bug Report - December 2021 Edition

The Bug Report - December 2021 By Philippe Laulheret · January 19, 2022 Your Cybersecurity Comic Relief Why am I here? If you’re reading these words, CONGRATULATIONS! You’ve made it to 2022! And even better, you found your way to ATR’s monthly security digest where we discuss our favorite...

Vulnerabilities fixed in Oracle Enterprise Manager

Oracle has fixed vulnerabilities in the following products: Enterprise Manager Base Platform Application Testing Suite APM - Application Performance Management Enterprise Manager Ops Center The vulnerabilities potentially enable a malicious party to execute attacks that result in the following...

The Bug Report - December 2021 Edition

The Bug Report - December 2021 By Philippe Laulheret · January 19, 2022 Your Cybersecurity Comic Relief Why am I here? If you’re reading these words, CONGRATULATIONS! You’ve made it to 2022! And even better, you found your way to ATR’s monthly security digest where we discuss our favorite...

coderedcms (>=0.21.0 <=0.22.3), coop (>=2.13.0 <=2.15.0) +15 more potentially affected by CVE-2022-21683 via wagtail (>=2.13.5 <=2.15.0)

wagtail PYPI version =2.13.5, =0.21.0, =2.13.0, =1.0.6, =0.2.2, =0.0.3, =0.1.0, =0.1.5, =1.0.0rc2, =0.9.3, =0.1.1, =1.0.1, =0.13.1, =0.13.2 and more Source cves: CVE-2022-21683 Source advisory: OSV:PYSEC-2022-13...

OpenBMCS 2.4 - Information Disclosure

Exploit Title: OpenBMCS 2.4 - Information Disclosure Exploit Author: LiquidWorm Date: 26/10/2021 OpenBMCS 2.4 Secrets Disclosure Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System BMCS. No matter what the size of your...

What is fuzz testing? What is it used to test for?

Fuzz testing, regularly known as fuzzing, is a product testing procedure that incorporates embedding flawed or arbitrary information FUZZ into a product framework to recognize coding issues and security issues. Fuzz testing involves infusing information into a framework utilizing robotized or...

Microsoft Security Update Validation Report January 2022

Microsoft’s January 2022 security updates have passed Citrix testing the updates are listed below. The testing is not all-inclusive; all tests are executed against English only environments and issues may still be found upon implementation. Follow best practices for testing and installing softwar...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

This work includes testing and improvement tools for C...

The vulnerability of the DirectX Graphics Kernel File component in the Windows operating system allows a hacker to trigger a service failure.

The vulnerability of the DirectX Graphics Kernel File component in the Windows operating system exists due to insufficient testing of input data. Exploiting this vulnerability can allow a malicious actor to cause service interruptions remotely...

Exploit for Improper Input Validation in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

This is a Java project for a web application that uses the Log4j library. The project is a practice environment for testing and learning about the Log4j vulnerability CVE-2021-44228. The project includes a Maven project settings file, a Java class file, and a Log4j configuration file. The Log4j...

The 2021 Naughty and Nice Lists: Cybersecurity Edition

Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of...

Online Examination System Project 1.0 SQL Injection

Title: Online Examination System Project 1.0 SQL - Injections Author: nu11secur1ty Date: 01.10.2022 Vendor: https://projectworlds.in/free-projects/php-projects/ Software: https://projectworlds.in/free-projects/php-projects/online-examination/ Description: The eid parameter in account.php from...

Command Execution Vulnerability in Metersphere

MeterSphere is a one-stop open source continuous testing platform, covering test tracking, interface testing, performance testing, team collaboration and other functions, compatible with JMeter and other open source standards, effectively helping development and testing teams to make full use of...

vulhub

This is an open-source collection of vulnerable systems and applications for educational purposes. The repository is maintained by phith0n and is available on GitHub. It contains a variety of vulnerable systems and applications, including web applications, databases, and operating systems. The...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

CVE-2021-44228Apache Log4j Remote Code Execution） all log...

Patchwork APT caught in its own web

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS Ragnatela Remote...

OSV-2022-17 Heap-buffer-overflow in ap_is_chunked

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43371 Crash type: Heap-buffer-overflow READ 1 Crash state: apischunked fuzzutils.c...

pikachu

It is an offensive tool for web application security training. The primary CVE ID is not explicitly mentioned, but the tool is designed to simulate various web application vulnerabilities, including but not limited to: Burt Force brute force, XSS cross-site scripting, CSRF cross-site request...