Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

Microsoft Patch Tuesday November 2022: Exchange ProxyNotShell RCE, JScript9, MoTW, OpenSSL, Edge, CNG, Print Spooler

Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]

Alexander V. Leonov
Open in Source
#vulnerability#web#mac#windows#microsoft#js#java#kubernetes#c++#rce#auth#chrome#ssl#blog
CVE-2022-0698: GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.

Backdoor.Win32.Autocrat.b MVID-2022-0660 Weak Hardcoded Credential

Backdoor.Win32.Autocrat.b malware suffers from a weak hardcoded credential vulnerability.

ConnectWise closes XSS vector for remote hijack scams

Researchers also applaud abandonment of customization feature abused by scammers

Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw

Google on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser. Tracked as CVE-2022-4135, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022. Heap-based buffer overflow bugs can be

Redacted Documents Are Not as Secure as You Think

Popular redaction tools don’t always work as promised, and new attacks can reveal hidden information, researchers say.

CVE-2022-2721: Security Advisory 2022-24

In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.

How to Avoid Black Friday Scams Online

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

CVE-2022-45868: h2database/WebServer.java at 96832bf5a97cdc0adc1f2066ed61c54990d66ab5 · h2database/h2database

The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Retired Software Exploited To Target Power Grids, Microsoft

By Habiba Rashid Boa was discontinued in 2005 but remained popular and is now becoming a crisis because of the complex nature of how it was built into the IoT device supply chain. This is a post from HackRead.com Read the original post: Retired Software Exploited To Target Power Grids, Microsoft