Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVE-2022-1982: Security Updates

Multiple cross-site scripting (XSS) vulnerabilities in Neos CMS allow attackers with the editor role or higher to inject arbitrary script or HTML code using the editor function, the deletion of assets, or a workspace title. The vulnerabilities were found in versions 3.3.29 and 8.0.1 and could also be present in all intermediate versions.

**Metaverse as  
unique as its users**

Neos Metaverse is a revolutionary virtual community; a peer-to-peer, real-time collaboration platform for creators, educators and communities powered by the versatile Neos Engine.  
Join the metaverse and join us on our mission to provide diversity, individuality & creative freedom.

**One platform, near-endless solutions.**

Neos Metaverse - also known as NeosVR - has been designed to be a truly versatile and customizable creative environment complete with an innovative visual scripting language LogiX.

Leverage the power of Neos, build content with advanced editing tools, connect with the virtual community, explore countless ways of self-expression and accelerate your workflows through real-time virtual collaboration to create authentic immersive experiences.

**Create. Inspire. Amaze.**

Neos for creators

Whether you choose to make stunning art with brushes, material guns and shape tools - hanging your unique creations on the walls of your virtual home - or you prefer to have fun building jet packs, swinging ropes or gravity lifts, completely in-game and in real-time collaboration, Neos distinctive features enable you to explore the realms of true, real creative freedom. What’s more, custom animations, interactions and special effects can be effortlessly added with our powerful visual scripting language and tools.

**Play. Share. Have Fun.**

Neos for communities

Be whoever you want to be and roam the metaverse with friends from all over the world; experiment with advanced full-body tracking and haptic feedback, express yourself through dance & singing or pull off an epic break-dance battle. Neos Metaverse can connect you with your favorite artists and streamers and provide you with a powerful platform to participate in various meetings and events.

**Educate. Simulate. Collaborate.**

Neos for educators and businesses

Immersive experiences have a significant positive impact on memory retention and overall performance in both educational and business settings. Neos enables you and your audiences to experience the magnitude of the universe unraveling in front of you; allowing you to create accurate technical simulations and give lectures in your field of expertise.

**Neos Credits****A purpose-built peer-to-peer digital currency**

Neos Credits (NCR) is the official metaverse cryptocurrency of Neos, designed to serve our evolving community of creators and users.  
A decentralized Neos Store market place powered by NCR will enable a rich in-game economy resulting in an even greater amount of content for users to enjoy and in a great way for creators to make a living by monetizing their awesome work.  
To learn more about our mission, vision and tokenomics please read our whitepaper.

Read whitepaper

Prices may not be up to date, last checked  \--:--

**Neos ICO**

Batch Progress

Minting Batch: 444/500  
Next Batch: +1.25% minting price

Total Progress

Minted via Ethereum:  36,956,705.74 NCR  
Minted via Patreon: 1,985,046.20 NCR

**NCR Minting Price**

$**14.728223**

0x7CCBac6D333838608be0c40E124381016F4c81Fc \*

\*By sending Ethereum to this address, you agree to all terms in the Neos Whitepaper.  
‍‍  
Please don't send buy transactions directly from an exchange as potentially you will be unable to prove your NCR ownership.  

**ERC20 Wallets**

**Progress Graph**

**Everything you need  
in one platform**

Neos Metaverse has been engineered to revolutionize workflows in virtual collaboration and bring together communities online from all over the world. Creators, educators and global communities can build and distribute immersive experiences in a real-time virtual space. Neos is available in 20+ languages and supports a variety of virtual reality headsets as well as desktop mode so you can enjoy the gameplay wherever you are.

Use Neos as your VR and metaverse platform for games, learning, business and training. Explore your imagination.

Download Neos

**Accelerate time to production**

Put a stop to tedious importing/exporting processes and import over 40 different 3D model formats and a variety of media with a mere click. Take advantage of Neos fluid export capabilities and move your creations into various 3D modeling applications and game engines.

**Leverage the power of LogiX**

Choose from the arsenal of creative tools, brushes and materials prepared by our community or build your own. With no-code, node based LogiX visual scripting system you can make your own tools, simulations and games right within VR.    

**Ferociously dynamic, beautifully simple.  
Meet Neos Engine.**

Neos Engine is a state-of-the-art metaverse engine offering effortless multiplayer synchronization, content interoperability and content persistence thanks to its own advanced data model.  
It gives our users the ability to load worlds dynamically, switch between them instantly and creators the power to build worlds without the use of a third party game engine or SDKs directly in Neos.    
Automatic interoperability between all parts of the system allows for powerful, often unforseen, interactions involving assets by multiple creators that weren't specifically designed to work together. It just works - like in real life.  

**Transforming virtual collaboration**

Neos Metaverse enables users to create content and experiences in real time within VR and in collaboration with other people. Artists, designers, educators; communities or globally distributed teams can all build together in a virtual reality environment, run multiple sessions at the same time and access digital assets from any world.

**Hardware agnostic performance**

Neos is designed to work with the majority of VR headsets, as well as being able to switch to fully fledged desktop mode instantly - enabling you to spend more time creating and less time transitioning between environments and implementing SDKs. Thanks to our automatic content update process, your content remains fully functional in all future versions of Neos.  

**Your privacy is our priority**

With an easy to use permission system you can restrict who can join and what others can do in your worlds. Private local P2P sessions give you peace of mind, knowing that you have full ownership and control over your data. You can optionally take advantage of the centralized Neos Cloud giving you the most convenient experience.

**Advanced full body avatars**

Our advanced avatar system allows for importing, building and customizing avatars completely in-game. Neos supports enhanced facial and body tracking, haptic feedback, interactive dynamic bones and a fully configurable, full body IK system with up to 11 tracking points so everyone can see and react to your facial expressions and body language; bringing you even closer to those you’re collaborating with.  

**Metaverse Training Centre**

Our team of volunteers from all over the world takes great pride in creating a welcoming and supportive onboarding experience. Neos Metaverse Training Center is a true hub of knowledge where you can learn anything from setting up your avatars, visual scripting or simply drawing inspiration from our gallery of creations.  

For a full list of features please visit our Wiki

**Here's where we're going**

Neos Masterplan  
‍  
Our aim is to accelerate the transition to virtual collboration and to become a global platform of choice for everyone with their hearts in a mission for diversity, inclusivity and democracy, serving as an inspiration and example to the rest of the world.

Neos Masterplan  
‍  
Our aim is to accelerate the transition to virtual collboration and to become a global platform of choice for everyone with their hearts in a mission for diversity, inclusivity and democracy, serving as an inspiration and example to the rest of the world.

A full roadmap is available at GitHub

**Our mission and story**

Our aim is to accelerate the transition to virtual collaboration and to become a global platform of choice for everyone with a passion for diversity and inclusivity serving as an inspiration and example to the rest of the world.

Neos started as a virtual reality educational app and educational pilot project called World of Comenius at a grammar school that over time evolved into a full-scale metaverse engine. The very first educational demo enabled users to view human anatomy, play with atoms, force fields and robots.

Soon it became clear that the key to a truly useful and organized immersive experience was user interaction and content persistency - and that is how Neos, as a social metaverse, emerged. Thanks to funding from various investors and our very supportive community, Neos has grown into a versatile, feature-rich metaverse platform complete with its own cryptocurrency and continues to change the landscape of virtual reality experiences.

Current development roadmap is available at GitHub

CVE-2022-30429: Neos Metaverse

Couchbase Server before 7.1.0 has Incorrect Access Control.

CVE-2021-33504: Alerts | Couchbase

An out-of-bounds read flaw was found in the Linux kernel’s TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.

'2078466?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-1462: Invalid Bug ID

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

CVE-2022-27782

Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting (XSS).

*   Case Management
*   Orchestration & Automation
*   Quality Management System
*   Investigation Management
*   Phaneros Portal
*   Forensic Lab Management
*   Crime Scene Investigation
*   Resource (People, Process, Technology, Time, Data) Management
*   Nimbus Cloud & Saas
*   Nimbus Intelligence
*   Incident Response Lifecycle Management
*   Resource Library
*   Support
*   Contact

Skip to content

*   Government
*   Military
*   Corporate
*   Law enforcement

**COMPLEX OPERATIONS PLATFORM**

**VISUAL ANALYTICS**

**INVESTIGATION MANAGEMENT**

**On Prem - Cloud - SaaS**

**MODULAR DESIGN**

Corporate

**NIMBUS**

**Investigation Control**

NIMBUS provides total control and oversight to any investigation allowing USERS, PROCESS & TECHNOLOGY to seamlessly work together within the connected fabric of the COMPLEX OPERATIONS PLATFORM.

Explore the core NIMBUS modules.

**Investigation Management**

**Organised & Complex Investigation Lifecycle Platform**

Streamline complex Investigations by harnessing the Governance, Case Management, Quality Management, Orchestration and combine them with full disclosure management, Document Review and mark up, Actions management, Case analytics, Configurable Dashboards and management reporting to unravel any complexity in the  investigation along with full disclosure review and Digital Case file production.

**Investigation Management**

**Packed with features including:**

**Case Management**

**Digital & Traditional case management**

Solving everyday case management problems surrounding integrity, efficiency, evidence tracking, asset management, full management reporting and by combing solutions into a simple and intuitive user experience seamlessly integrating with all NIMBUS modules.

**Case Management**

**Packed with features including:**

**Orchestration & Automation**

**Orchestration & Automation Platform**

Visually digitise standard operating procedures, lab workflows or any playbook with ease allowing integration with forensic technologies, digital or traditional or external data sources. Orchestrate multiple automations, queue, prioritise, status controlled, workflow within workflow fully audited and reportable.

**Orchestration & Automation**

**Packed with features including:**

**NIMBUS Cloud & SaaS**

**Instant and flexible deployment**

Leverage the power, resilience, and speed of deployment of NIMBUS in the cloud environment of your choice as a true SaaS offering. Managed by an industry leading service delivery model, BlackRainbow removes the risk and complication of an on premise installation whilst delivering full functionality in an accelerated way.

**NIMBUS Cloud & SaaS**

**Packed with features including:**

**NIMBUS Incident Response Lifecycle Management Platform**

**Total Security Operations Management**

BlackRainbow’s incident response lifecycle management platform accelerates the incident response lifecycle, it is the connecting fabric for security infrastructure and teams. It offers entire incident management, intelligent automation and orchestration and interactive investigation. The platform has a focus on customisability and collaboration. This solution is available as a SaaS cloud-based solution, or it can be deployed on premise.

**NIMBUS Incident Response Lifecycle Management Platform**

**Packed with features including:**

**Would you like to see NIMBUS in action ?**

**PHANEROS Portal**

**Forensic requests submitted from anywhere on any platform**

PHANEROS the NIMBUS submission portal is an advanced configurable two-way electronic mobile submission management and production system for compiling, publishing, importing, and reviewing forensic case submissions. Remote users can add a case, build submissions to NIMBUS Core for authorisation, enter evidence, notes, and scene information with an on or offline capability with no need for a heavy local application install.

**PHANEROS Portal**

**Packed with features including:**

**NIMBUS Intelligence Management**

**Intelligence when you need it**

NIMBUS intelligence management and orchestration allows the ability to instigate, integrate or ‘reach out’ to the relevant intelligence resource needed for that stage of the investigation. It may be that OSINT, Dark web, local digital media seizure, external threat feeds, case metadata or external database information is needed to assist with the next stage of the investigation, NIMBUS manages the flow, automates workflow and notifications on watchlists and aggregates all of the intelligence in an authorised and auditable way.

**NIMBUS Investigation Management**

**Packed with features including:**

**Quality Management System**

**Integrated Quality Management System**

QMS aligns all the necessary areas to drive accreditation to any ISO standard or equivalent international standard. Manage and control your business performance, data and risks using our integrated quality management modules, non-conformance, actions, assets and more. When combined with NIMBUS CM it accelerates and governs the ability to obtain and maintain ISO accreditation, whilst removing administrative burdens associated to siloed systems.

**Quality Management System**

**Packed with features including:**

**Resource Library**

**Watch, read, and listen up**

All the latest videos, papers, articles, datasheets and updates from BlackRainbow

**BlackRainbow**

**Follow us**

Page load link

This website uses cookies for security and usage monitoring. You can accept or reject cookies or see the details and control which cookies are set using the buttons.

**Privacy Overview**

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie

Duration

Description

cookielawinfo-checbox-analytics

1 year

This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".

cookielawinfo-checkbox-necessary

1 year

This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".

viewed\_cookie\_policy

1 year

The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie

Duration

Description

\_ga

2 years

This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

\_gat\_gtag\_UA\_109233946\_1

1 minute

This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.

\_gid

1 day

This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Powered by

CVE-2022-24967: Corporate – BlackRainbow

LinkPlay Sound Bar v1.0 allows attackers to escalate privileges via a hardcoded password for the SSL certificate.

From: Lifeng Zhao <lifeng.zhao@linkplay.com> Sent: Sunday, December 12, 2021 5:03 PM To: Hidden Subject: Re: Security Vulnerability \*\*\* The Answer \*\*\* Hi Ohana, Thank you very much for your detailed report on the security vulnerability. It's super helpful and important to us. We'll take the immediate action to fix this. Thank you again for your great support. Best, Lifeng From: Hidden Date: 2021-12-12 21:24 To: security@linkplay.com Subject: Security Vulnerability \*\*\* The vulnerability \*\*\* Bug Type: Hard-coded secret key Impact: RCE, Supply chain attack Platforms: IOS + Android applications Our lab team has reviewed your product from a security perspective and noticed a few security issues that you should be aware of (technical details provided below). It is important to note that CyberArk Labs follow the security industry standard disclosure policy. We allow 90 days for the issues to be fixed/patched/mitigated. CyberArk Labs reserves the right to publicly disclose all information about the issues after this timeframe. We would be happy to share any additional information and to cooperate with you in mitigating the issue in a timely fashion. Summary: We can access an admin user in the Artifactory JFrog system, through which you can manage all the code of the applications and change it. As a result, we can change the application code across multiple tenants, ending with full RCE over every app. It is important to note, however, that both Android and IOS applications suffer from these vulnerabilities In details: We found the API key for admin and the password of the SSL client certificate have been hardcoded and stored on the application SoundBar (com.wifiaudio.Yamaha). To exploit this, you can add the API key to each request sent to the server. 1.Within the SoundBar application, we found the password of certificate\_new\_encrypted.p12 SSL certificate file. Using this certificate, we can communicate with the Soundbar device on port 443. Besides that, we found that the file is encoded with the XOR operator with the number 2. Therefore, it is simple to overcome the encoding. As a result, we can communicate with HTTPS requests with the device. 2. Also, we found that the application sends logs to the URL https://log.linkplay.com:8081/artifactory/Android/logs with the header "X-JFrog-Art-Api, and the API key AKCp5bB…. We discovered this API key is the key of the admin user in the system. This is a major security concern because every malicious user can access the JFrog artifactory with full admin access. In other words, a malicious user can corrupt the repository and cause clients to download malicious applications. 3.Moreover, we noticed that the JFROG version (6.2.0) is not up-to-date. The latest version is (7.10.2). Thus, it is vulnerable to the following CVEs: 1. CVE-2020-7931 2. From the frog website Lastly, we found the vulnerability (the admin API key) in many applications. Below are some links to several apps: ·https://play.google.com/store/apps/details?id=com.medion.speaker ·https://play.google.com/store/apps/details?id=com.wifiaudio.Yamaha ·https://play.google.com/store/apps/details?id=com.wifiaudio.triangle ·https://play.google.com/store/apps/details?id=com.wifiaudio.cavalier ·https://play.google.com/store/apps/details?id=com.wifiaudio.jam ·https://play.google.com/store/apps/details?id=com.wifiaudio.FABRIQ ·https://play.google.com/store/apps/details?id=com.zoundindustries.marshallvoice ·https://play.google.com/store/apps/details?id=com.dpiinc.ISBWV418B ·https://play.google.com/store/apps/details?id=com.ihome.ama ·https://play.google.com/store/apps/details?id=com.wifiaudio.iHome ·https://play.google.com/store/apps/details?id=com.wifiaudio.Creative

CVE-2022-28605: hardcoded on LinkPlay app

An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

Yes, this way is even better, given that as of now, https and wss are effectively the only schemes that should be supported, as bosh and websockets are the only alternative connection methods you can discover with the XEP.

Only other nit:  
The markdownish *or* doesn't really fit here. We have <em>or</em> or <strong>or</strong> for this. :)

CVE-2022-26491: Remove _xmppconnect DNS method from XEP-0156 and add warnings by moparisthebest · Pull Request #1158 · xsf/xeps

OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.

From time to time, our security researchers find zero-day vulnerabilities in open source projects. When this happens, we inform the relevant maintaners of the package and publish our findings here only after they’ve been remediated, or when a patch is available.

CVE-2021-34080: Checkmarx Advisory

Bottle before 0.12.20 mishandles errors during early request binding.

**Commits on May 24, 2022**

1.  Add ServerAdapter for CherryPy >= 9
    
    Since CherryPy >= 9, the server part of CherryPy has been extracted and named Cheroot. Thus the old CherryPy ServerAdapter does not work for CherryPy >= 9: the import fails, and the SSL part should be different too. Cheroot can be installed (git install cheroot) without CherryPy so that we can just have a CherootServer adapter in addition to the CherryPyServer adapter for the older versions.
    
    (cherry picked from commit b9229ee)
    Signed-off-by: Juerg Haefliger <juergh@protonmail.com>
    
     
    

3.  Added depr warning for the outdated cherrypy server adapter.
    
    If you are using this adapter, simply switch to 'cheroot'
    This should fix some recent and some very old issues regarding cherrypy:
    
    fix #947 Leave explicit the maxima version supported the CherryPy (<= 9.0.0)
    fix #932 Add ServerAdapter (fix CherryPy ServerAdapter)
    fix #685 Update CherryPy SSL to use latest API and work on Py3
    fix #574 Allow custom bind\_addr for CherryPy
    
    (backported from commit be90814)
    \[juergh: Adjust context, drop modifications of test/travis-requirements.txt
     which does not exist in 0.12.\]
    Signed-off-by: Juerg Haefliger <juergh@protonmail.com>

Tag

#ssl