Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

CVE-2022-1565: Vulnerability Advisories - Wordfence

The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#windows#google#apache#js#git#java#wordpress#php#rce#perl#ssrf#auth#sap
CVE-2022-2444: Vulnerability Advisories - Wordfence

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

RHSA-2022:5597: Red Hat Security Advisory: pandoc security update

An update for pandoc is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24724: cmark-gfm: possible RCE due to integer overflow

‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns

Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

CVE-2022-24688: DSK Systems

An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.

CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2

Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.

CVE-2021-41419: nuclei-templates/qvisdvr-deserialization-rce.yaml at master · projectdiscovery/nuclei-templates

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

CVE-2022-26482: Security Center

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

CVE-2022-31211: Multiple Vulnerabilities in Infiray IRAY-A8Z3 thermal camera

An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default.