#windows

Easy Images v2.0 was discovered to contain an arbitrary file download vulnerability via the component /application/down.php. This vulnerability is exploited via a crafted GET request.

Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this.

Netcad KEOS 1.0 is vulnerable to XML External Entity (XXE) resulting in SSRF with XXE (remote).

Five vulnerabilities in the baseboard management controller (BMC) software used by 15 major vendors could allow remote code execution if attackers gain network access.

Docker version 20.10.15, build fd82621 is vulnerable to Insecure Permissions. Unauthorized users outside the Docker container can access any files within the Docker container.

i-librarian 4.10 is vulnerable to Arbitrary file upload in ajaxsupplement.php.

On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.

Westbrookadmin portfolioCMS v1.05 allows attackers to bypass password validation and access sensitive information via session fixation.

January saw a slew of security patches for iOS, Chrome, Windows, and more.

The Russia-affiliated Sandworm used yet another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine. "The NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files," cybersecurity company ESET revealed in its latest APT Activity Report shared with The Hacker