A vulnerability has been found in Anant Labs google-enterprise-connector-dctm up to 3.2.3 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument username/domain leads to sql injection. The name of the patch is 6fba04f18ab7764002a1da308e7cd9712b501cb7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218911.
A vulnerability classified as critical has been found in oktora24 2moons. Affected is an unknown function. The manipulation leads to sql injection. The name of the patch is 1b09cf7672eb85b5b0c8a4de321f7a4ad87b09a7. It is recommended to apply a patch to fix this issue. VDB-218898 is the identifier assigned to this vulnerability.
The US Justice Department arrested Russian national named Anatoly Legkodymov, the alleged owner of the China-based underground platform Bitzlato
High-level executives, including board members and C-level executives, often have access to sensitive information, making them prime targets for bad actors looking to penetrate corporate defenses. Their personal devices, among other points of entry, are glaring attack vectors for cybercriminals looking to get in on the top floor.
As CISOs know, cyber incidents all too often include the human element—and executives are all too human. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved a human element, the bulk of them involving phishing, business email compromise (BEC), and stolen credentials.
A vulnerability was found in bastianallgeier Kirby Webmentions Plugin and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to injection. The attack may be launched remotely. The name of the patch is 55bedea78ae9af916a9a41497bd9996417851502. It is recommended to apply a patch to fix this issue. VDB-218894 is the identifier assigned to this vulnerability.
A vulnerability was found in viakondratiuk cash-machine. It has been declared as critical. This vulnerability affects the function is_card_pin_at_session/update_failed_attempts of the file machine.py. The manipulation leads to sql injection. The name of the patch is 62a6e24efdfa195b70d7df140d8287fdc38eb66d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218896.
FortiGuard Labs is aware of a report that a recently patched vulnerability in the Cacti network monitoring and management suite is being exploited in the wild. The vulnerability (CVE-2022-46169) is a command injection vulnerability that allows a remote, unauthenticated user to execute arbitrary code on a server running vulnerable version of Cacti.Why is this Significant?This is significant because, although recently patched, CVE-2022-46169 is reported to have been exploited in the wild. The vulnerability is in Cacti, which is an open-source software for monitoring network devices and graphically displaying collected information.What is CVE-2022-46169?CVE-2022-46169 is a vulnerability in the Cacti network monitoring and management that a remote, unauthenticated attacker could exploit by sending a crafted HTTP request. Successful exploitation could result in arbitrary system command execution under the context of the target system.The vulnerability is rated critical and has a CVSS score of 9.8.Has the Vendor Released an Advisory for CVE-2022-46169?Yes, the advisory is publicly available. See the Appendix for a link to “Unauthenticated Command Injection”.What Version of Cacti is Vulnerable?The advisory released by Cacti lists 1.2.22 as a vulnerable version.Has the Vendor Released a Patch for CVE-2022-46169?Yes, the patch was released in v1.2.23 and v1.3.0 on December 5, 2022.What is the Status of Protection?FortiGuard Labs has the following IPS signature in place forCacti.remote_agent.php.Remote.Command.Execution (default action is set to “pass”)
Carole’s in her sick bed, which leaves Graham in charge of the good ship “Smashing Security” as it navigates the choppy seas of credential stuffing and avoids the swirling waters of apps being sloppy with sensitive information.
Find out more in this latest edition of the “Smashing Security” podcast, hosted by Graham Cluley with special guest BJ Mendelson.
