Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

CVE-2022-38556: Vuln/2 at main · xxy1126/Vuln

Trendnet TEW733GR v1.03B01 contains a Static Default Credential vulnerability in /etc/init0.d/S80telnetd.sh.

CVE
Open in Source
#vulnerability#auth#telnet#ssl
5 Signs your WordPress Site is Hacked (And How to Fix It)

By Owais Sultan Currently, there are over 455 million websites powered by WordPress which highlights the fact that this open-source content management system is a lucrative target for cybercriminals and why security should be the top priority of WP users. This is a post from HackRead.com Read the original post: 5 Signs your WordPress Site is Hacked (And How to Fix It)

GHSA-3w4v-rvc4-2xpw: Keycloak has Files or Directories Accessible to External Parties

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

CVE-2022-35714: Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714)

IBM Maximo Asset Management 7.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231116.

CVE-2021-3856: [KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderF… · keycloak/keycloak@73f0474

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

CVE-2021-43766: Server processes unencrypted bytes from man-in-the-middle

Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.

CVE-2021-43767: Issues · yandex/odyssey

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

CVE-2022-2255: mod_wsgi/mod_wsgi.c at 4.9.2 · GrahamDumpleton/mod_wsgi

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

CVE-2022-37238: SecurityGateway for Email Servers Release Notes

MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.