Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-38268: bug_report/SQLi-3.md at main · moyess/bug_report

School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the component /modules/autonumber/index.php?view=edit&id=.

CVE
Open in Source
#sql#vulnerability#windows#php#auth#firefox
CVE-2022-38267: bug_report/SQLi-1.md at main · moyess/bug_report

School Activity Updates with SMS Notification v1.0 was discovered to contain a SQL injection vulnerability via the component /modules/user/index.php?view=edit&id=.

CVE-2022-38265: bug_report/SQLi-1.md at main · xxxcoll/bug_report

Apartment Visitor Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at /avms/edit-apartment.php.

CVE-2022-38256: wizlynx group | Stored Cross-Site Scripting (XSS) Vulnerability in TastyIgniter v3.5.0

TastyIgniter v3.5.0 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2022-38260: bug_report/SQLi-2.md at main · Fright1Moch/bug_report

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=questiondelete&id=.

CVE-2022-37857: Two minor Security Issues · Issue #187 · bilde2910/Hauk

bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default.

CVE-2022-37163: CVE-2022-37857, CVE-2022-37163, CVE-2022-37164 Hardcoded Credentials/Weak Password Policies

Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.

CVE-2022-38255: bug_report/SQLi-1.md at main · Fright1Moch/bug_report

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /interview/editQuestion.php.

WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

Site backup plugin developer issues patch following reports of millions of exploit attempts

Lazarus and the tale of three RATs

By Jung soo An, Asheer Malhotra and Vitor Ventura. Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. Introduction Cisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February...