Ricoh Company, Ltd. Security Vulnerabilities

CVE-2022-25729 Improper Input Validation in MODEM

Memory corruption in modem due to improper length check while copying into...

CVE-2023-24203

Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query...

CVE-2023-24203

Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query...

CVE-2024-1662 Information Disclosure in Porty's PowerBank

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before...

Inside the Biggest FBI Sting Operation in History

When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’...

Adobe clarifies Terms of Service change, says it doesn’t train AI on customer content

Following days of user pushback that included allegations of forcing a "spyware-like" Terms of Service (ToS) update into its products, design software giant Adobe explained itself with several clarifications. Apparently, the concerns raised by the community, especially among Photoshop and...

CVE-2023-4039

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style...

CVE-2022-0555

Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all...

KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO

On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The...

CVE-2023-23990

Improper Privilege Management vulnerability in Qube One Ltd. Redirection for Contact Form 7 wpcf7-redirect allows Privilege Escalation.This issue affects Redirection for Contact Form 7: from n/a through...

CVE-2024-35634 Woocommerce – Recent Purchases plugin <= 1.0.1 - File Inclusion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wow-Company Woocommerce – Recent Purchases allows PHP Local File Inclusion.This issue affects Woocommerce – Recent Purchases: from n/a through...

CVE-2023-21658

Transient DOS in WLAN Firmware while processing the received beacon or probe response...

CVE-2022-33250 Reachable assertion in Modem

Transient DOS due to reachable assertion in modem when network repeatedly sent invalid message container for NR to LTE...

CVE-2022-33246

Memory corruption in Audio due to use of out-of-range pointer offset while Initiating a voice call session from user space with invalid session...

CVE-2022-33246 Use of out-of-range pointer offset in Audio

Memory corruption in Audio due to use of out-of-range pointer offset while Initiating a voice call session from user space with invalid session...

CVE-2022-33244

Transient DOS due to reachable assertion in modem during MIB reception and SIB...

CVE-2022-33254 Reachable assertion in Modem

Transient DOS due to reachable assertion in Modem while processing SIB1...

CVE-2022-40535 Buffer Over-read in WLAN

Transient DOS due to buffer over-read in WLAN while sending a packet to...

CVE-2022-40538

Transient DOS due to reachable assertion in modem while processing sib with incorrect values from...

CVE-2022-40538 Reachable assertion in Modem

Transient DOS due to reachable assertion in modem while processing sib with incorrect values from...

CVE-2022-40536

Transient DOS due to improper authentication in modem while receiving plain TLB OTA request message from...

CVE-2022-25729 Improper Input Validation in MODEM

Memory corruption in modem due to improper length check while copying into...

OpenCart Cross-Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to...

OpenCart Cross-Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to...

CVE-2023-5037

badmonkey, a Security Researcher has found a flaw that allows for a authenticated command injection on the camera. An attacker could inject malicious into request packets to execute command. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for...

One Phish, Two Phish, Red Phish, Blue Phish

One of the interesting things about working for a cybersecurity company is that you get to talk...

CVE-2024-35629 WordPress Easy Digital Downloads – Recent Purchases plugin <= 1.0.2 - Remote File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through...

CVE-2023-5038

badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware...

CVE-2023-47256

ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy...

CVE-2022-1242

Apport can be tricked into connecting to arbitrary sockets as the root...

The Ticketmaster Data Breach May Be Just the Beginning

Data breaches at Ticketmaster and financial services company Santander have been linked to attacks against cloud provider Snowflake. Researchers fear more breaches will soon be...

CVE-2023-47256

ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy...

CVE-2023-47256

ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy...

CVE-2024-35629 WordPress Easy Digital Downloads – Recent Purchases plugin <= 1.0.2 - Remote File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through...

JS Jobs Component for Joomla! 'md' Parameter SQLi

The version of the JS Jobs component for Joomla! running on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the 'md' parameter before using it to construct database queries. Regardless of the PHP 'magic_quotes_gpc' setting, an...

CVE-2024-29225

WRC-X3200GST3-B v1.25 and earlier, and WRC-G01-W v1.24 and earlier allow a network-adjacent unauthenticated attacker to obtain the configuration file containing sensitive information by sending a specially crafted...

ColdFusion on IIS cfm/dbm Diagnostic Error Path Disclosure

It was possible to make the remote web server disclose the physical path to its web root by requesting a MS-DOS device ending in .dbm (as in...

CVE-2021-3899

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as...

CVE-2024-35855

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device. As part of this...

CVE-2024-35855

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device. As part of this...

CVE-2024-27974

Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator's ID, password, etc......

CVE-2024-1708 Improper limitation of a pathname to a restricted directory (“path traversal”)

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical...

CVE-2024-1708

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical...

CVE-2023-38817

An issue in Inspect Element Ltd Echo.ac v.5.2.1.0 allows a local attacker to gain privileges via a crafted command to the echo_driver.sys component. NOTE: the vendor's position is that the reported ability for user-mode applications to execute code as NT AUTHORITY\SYSTEM was "deactivated by...

CVE-2023-38817

An issue in Inspect Element Ltd Echo.ac v.5.2.1.0 allows a local attacker to gain privileges via a crafted command to the echo_driver.sys component. NOTE: the vendor's position is that the reported ability for user-mode applications to execute code as NT AUTHORITY\SYSTEM was "deactivated by...

CVE-2024-5676

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method GET to introduce changes in the...

CVE-2024-27974

Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator's ID, password, etc......

CVE-2024-28094

Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database...

CVE-2024-1708 Improper limitation of a pathname to a restricted directory (“path traversal”)

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical...

CVE-2024-28096

Class functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected...