Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

Mitel VoIP Bug Exploited in Ransomware Attacks

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Threatpost
Open in Source
#vulnerability#web#linux#php#rce#pdf#zero_day#ssl
Log4Shell Vulnerability Targeted in VMware Servers to Exfiltrate Data

CISA warns that threat actors are ramping up attacks against unpatched Log4Shell vulnerability in VMware servers.

CVE-2022-31086

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

WordPress Weblizar 8.9 Code Execution

WordPress Weblizar plugin version 8.9 suffers from a remote code execution vulnerability.

CISA Log4Shell warning: Patch VMware Horizon installations immediately

CISA warns of log4shell being actively exploited to compromise VMware Horizon systems. We take a look at their warning. The post CISA Log4Shell warning: Patch VMware Horizon installations immediately appeared first on Malwarebytes Labs.

CVE-2022-2212: CVE/POC.md at main · CyberThoth/CVE

A vulnerability was found in SourceCodester Library Management System 1.0. It has been classified as critical. Affected is an unknown function of the component /card/index.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches

Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]

GHSA-6xc4-7fmm-65q2: Code injection in concrete CMS

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.

CVE-2022-21231: Prototype Pollution in deep-get-set | CVE-2022-21231 | Snyk

All versions of package deep-get-set are vulnerable to Prototype Pollution via the 'deep' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666)