Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

CVE-2020-15679: PGAND-410 Resolve oauth session fixation on iOS (#272) · mozilla-mobile/guardian-vpn-ios@4309f5c

An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).

CVE
#vulnerability#ios#android#windows#oauth#auth
CVE-2022-22736: Invalid Bug ID

If Firefox was installed to a world-writable directory, a local privilege escalation could occur when Firefox searched the current directory for system libraries. However the install directory is not world-writable by default.<br>*This bug only affects Firefox for Windows in a non-default installation. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.

CVE-2022-22753: Invalid Bug ID

A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant Users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access.<br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

CVE-2022-22759: Security Vulnerabilities fixed in Thunderbird 91.6

If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document that e.g. had a JavaScript event handler - the event handler would have run despite the iframe's sandbox. This vulnerability affects Firefox < 97, Thunderbird < 91.6, and Firefox ESR < 91.6.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

4images 1.9 Remote Command Execution

4images version 1.9 suffers from a remote command execution vulnerability.

CVE-2021-43657: CVE-2021-43657/Info.txt at main · c0n5n3d/CVE-2021-43657

A Stored Cross-site scripting (XSS) vulnerability via MAster.php in Sourcecodetester Simple Client Management System (SCMS) 1.0 allows remote attackers to inject arbitrary web script or HTML via the vulnerable input fields.

CVE-2021-36631: CVE/Baidunetdisk Version 7.4.3 dll hijack.md at main · shigophilo/CVE

Untrusted search path vulnerability in Baidunetdisk Version 7.4.3 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2022-4641: [SECURITY] Fix Temporary File Information Disclosure Vulnerability by JLLeitschuh · Pull Request #2 · tdunning/pig-vector

A vulnerability was found in pig-vector and classified as problematic. Affected by this issue is the function LogisticRegression of the file src/main/java/org/apache/mahout/pig/LogisticRegression.java. The manipulation leads to insecure temporary file. The attack needs to be approached locally. The name of the patch is 1e7bd9fab5401a2df18d2eabd802adcf0dcf1f15. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216500.