CA Technologies is alerting customers to a vulnerability in CA Harvest Software Change Manager. A vulnerability exists that can allow a privileged user to perform CSV injection attacks and potentially execute arbitrary code or commands. Note that this vulnerability is specific to the Harvest Workbench and Eclipse Plugin interfaces. CA published solutions to address this vulnerability and recommends that all affected customers implement these solutions. The vulnerability occurs due to insufficient input validation. A privileged user can potentially execute arbitrary code or commands. Versions affected include 13.0.3, 13.0.4, 14.0.0, and 14.0.1.
a4714b8adbe4fb471da29bb68b71fdc00d58ffcb406ca48c29511036eec88952Shopmetrics Mystery Shopping Software SaaS platform versions before v21-11 suffer from broken access control and cross site scripting vulnerabilities.
dce7572dd84dddedf1a258c769fb7857f6329fc1f4411e90d66f9c03dd2852c0Voltage SecureMail Server versions prior to 7.3.0.1 suffer from a business logic bypass vulnerability.
b53c96eab5d8c151a79e3e19d8f33fb25b15aff01cf1c97bef66654ec56cf63dKorenix Technology JetWave products JetWave 2212X, JetWave 2212S, JetWave 2212G, JetWave 2311, and JetWave 3220 suffer from unauthenticated device administration, cross site request forgery, multiple command injection, and unauthenticated tftp action vulnerabilities.
5a25ab12344f226941a56dbd876e476339306b241e827b61d60cb9042131e4b4WAGO 750-8xxx PLC versions prior to Firmware 20 Patch 1 (v03.08.08) suffer from denial of service and user enumeration vulnerabilities.
3baa93a2d3f1b5ab0f4e0408fec68f1c11444bf8af50dc66f28f63e877786d44This Metasploit module exploits privilege escalation in Servisnet Tessa triggered by the add new sysadmin user flow with any user authorization. An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response. The encrypted password information is included here, but privilege escalation is also possible with the active sessionid value.
6e59726691f327427ec484da726b6a4c97e638187f4e7fb596cc5e0268c97f94Ubuntu Security Notice 5264-1 - It was discovered that graphviz contains null pointer dereference vulnerabilities. Exploitation via a specially crafted input file can cause a denial of service. It was discovered that graphviz contains a buffer overflow vulnerability. Exploitation via a specially crafted input file can cause a denial of service or possibly allow for arbitrary code execution.
7b2dda393f432d9f5478beaa0cf42bb994c1eda53dc76d28478cf882b2b62c0aWBCE CMS version 1.5.2 authenticated remote code execution exploit.
ac470b209db9aac30a9ffc3a993d8a7bcead871e9c7d6ee1b377790410f82fafUbuntu Security Notice 5030-2 - USN-5030-1 addressed vulnerabilities in Perl DBI module. This update provides the corresponding updates for Ubuntu 16.04 ESM. It was discovered that the Perl DBI module incorrectly opened files outside of the folder specified in the data source name. A remote attacker could possibly use this issue to obtain sensitive information.
4156488823a7bad9ce607b22c08fb929d15f81dacd19585771c178426fe8c2b3Ubuntu Security Notice 5262-1 - The potential for an out of bounds write due to a missing bounds check was discovered to impact the sgdisk utility of GPT fdisk. Exploitation requires the use of a maliciously formatted storage device and could cause sgdisk to crash as well as possibly allow for local privilege escalation.
1c92f0b4395a72700fbde1d7c592c2034f2e570da69cefc8c07d3a1b759e787fRed Hat Security Advisory 2022-0438-02 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
e888ef973301222bcca915508c47e021df4b28b81f8500f1d89877fb8146ade6This Metasploit module exploits an MQTT credential disclosure vulnerability in Servisnet Tessa. The app.js is publicly available which acts as the backend of the application. By exposing a default value for the "Authorization" HTTP header, it is possible to make unauthenticated requests to some areas of the application. Even MQTT (Message Queuing Telemetry Transport) protocol connection information can be obtained with this method. A new admin user can be added to the database with this header obtained in the source code. The module tries to log in to the MQTT service with the credentials it has obtained and reflects the response it receives from the service.
a526a71a842e124933fbe29b7fe054817479987a1ba9b99072a7022c4655f1aeRed Hat Security Advisory 2022-0435-03 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
44734862b4b2dc7a2b678aadd5ac73a4aa286f3f4631195f9ac969056346630cRed Hat Security Advisory 2022-0439-02 - Log4j is a tool to help the programmer output log statements to a variety of output targets. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
93413ed5304ce12cc43413e6728add591a8155097ab9004ced779a538389eac2Red Hat Security Advisory 2022-0437-03 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is an update for JBoss Enterprise Application Platform 6.4. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
21624b3c4924b9cd81b30a87de939db6403e20ac0297e85e21bd0e0fef92f9c6This Metasploit module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user. The app.js is publicly available which acts as the backend of the application. By exposing a default value for the "Authorization" HTTP header, it is possible to make unauthenticated requests to some areas of the application. Even MQTT (Message Queuing Telemetry Transport) protocol connection information can be obtained with this method. A new admin user can be added to the database with this header obtained in the source code.
119c3c412df82f46d85f91b4ab7d2315fda2836a2057f29636ed9df61fe7a8bdRed Hat Security Advisory 2022-0434-05 - This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7, 4.8, and 4.9, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section. Issues addressed include a memory exhaustion vulnerability.
14491b7281705745bd03aadc7664ab3c3eb0abe1d341718c8e9103905c3784c3Red Hat Security Advisory 2022-0436-03 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
6c39fb6d7bac6a16f4f50bf4a5c79d6f9ba487bbfa01a6413a7f5dab7cc6658fFLAME II MODEM USB suffers from an unquoted service path vulnerability.
5b473186562a9fff5589d0662c67f1b610eb0a145eb6c989bd4c5e1ebe3ea59cRed Hat Security Advisory 2022-0421-02 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
f7287028275ce71f50acbeffc646868d94dd1ec3b6e7b0720cebef5fc075da93Red Hat Security Advisory 2022-0422-02 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
32ba23bf1a08a19d24fd73d090eb46e3bb1f1290c4a66d05085179fda5ca5244WordPress IP2Location Country Blocker plugin version 2.26.7 suffers from a persistent cross site scripting vulnerability.
c62903c5b3daed589c18b7a8a1dbb6b3549569d716f8b4a54c667b541deec3bcRed Hat Security Advisory 2022-0431-06 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes a bug fixes, security patches and new feature enhancements.
141890ea599d78e3dc568216578cb9ae701e774ab80404ed6c5b2fea5b1c6afcRed Hat Security Advisory 2022-0430-03 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 7.3.9 replaces Data Grid 7.3.8 and includes bug fixes and enhancements. Find out more about Data Grid 7.3.8 in the Release Notes [3]. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
6c69113af212e9a8637ce3e2de36cdaad1a71d9093dc3ebde6fe13ba7c601c0dRed Hat Security Advisory 2022-0420-02 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.
5000583bd05166bcc5aa070d554b6c43343cf1c15b44aa9451c3c20e4ff3199e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed