Read Time:5 Second
Reginaldo Silva discovered a (Debian-specific) Lua sandbox escape in
Redis, a persistent key-value database.
Category Archives: Advisories
DSA-5080 snapd – security update
Read Time:8 Second
Multiple vulnerabilties were discovered in snapd, a daemon and tooling
that enable Snap packages, which could result in bypass of access
restrictions or privilege escalation.
CVE-2014-8597
Read Time:10 Second
A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel.
SEC Consult SA-20220215 :: Multiple Critical Vulnerabilities in multiple Zyxel devices
Read Time:15 Second
Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Feb 16
SEC Consult Vulnerability Lab Security Advisory < 20220215-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: Multiple Zyxel devices
vulnerable version: For affected products see “Solution” section
fixed version: see “Solution” section
CVE number: –
impact: Critical
homepage:…
Trojan-Spy.Win32.Zbot.aawo.Zeus-Builder / Insecure Permissions
Read Time:20 Second
Posted by malvuln on Feb 16
Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/fe0dacbc953d4301232b386fcb3afc23.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Trojan-Spy.Win32.Zbot.aawo.Zeus-Builder
Vulnerability: Insecure Permissions
Description: ZeuS Builder saves PE files to the c drive with insecure
permissions granting change (C) permissions to the authenticated user
group. Standard users can…
Backdoor.Win32.Prosti.b / Insecure Permissions
Read Time:19 Second
Posted by malvuln on Feb 16
Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/8201ba6b542fc91c004110b2fc5395aa.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Prosti.b
Vulnerability: Insecure Permissions
Description: The malware writes a “.dll” PE file with insecure permissions
under c drive granting change (C) permissions to the authenticated user
group. Standard users can…
Email-Worm.Win32.Lama / Insecure Permissions
Read Time:19 Second
Posted by malvuln on Feb 16
Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/1c255ef6fd44877700867f94a59875d2.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Email-Worm.Win32.Lama
Vulnerability: Insecure Permissions
Description: The malware writes a “.BAT” file with insecure permissions
under c drive granting change (C) permissions to the authenticated user
group. Standard users can rename…
Backdoor.Win32.Prorat.lkt / Weak Hardcoded Password
Read Time:19 Second
Posted by malvuln on Feb 16
Discovery / credits: Malvuln – malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/65a53a37843db2b86a67a9e23277c1bf.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Prorat.lkt
Vulnerability: Weak Hardcoded Password
Description: The malware listens on TCP port 2121. Authentication is
required, however the password “special” is weak and hardcoded in cleartext
at offset 0040267C.
Type:…
DSA-5079 chromium – security update
Read Time:7 Second
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
Drupal core – Moderately critical – Information disclosure – SA-CORE-2022-004
Read Time:1 Minute, 21 Second
Project:
Date:
2022-February-16
Vulnerability:
Information disclosure
CVE IDs:
CVE-2022-25270
Description:
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the “access in-place editing” permission viewing some content they are are not authorized to access.
Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
Also see Quick Edit – Moderately critical – Information disclosure – SA-CONTRIB-2022-025 which addresses the same vulnerability for the contributed module.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
If you are using Drupal 9.3, update to Drupal 9.3.6.
If you are using Drupal 9.2, update to Drupal 9.2.13.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the QuickEdit module and therefore is not affected.
Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.
Reported By:
Fixed By:
Théodore Biadala
xjm of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Adam G-H
Drew Webber of the Drupal Security Team
Wim Leers
Ted Bowman
Dave Long
Derek Wright
Lee Rowlands of the Drupal Security Team
Samuel Mortenson
Joseph Zhao
xjm of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Adam G-H
Drew Webber of the Drupal Security Team
Wim Leers
Ted Bowman
Dave Long
Derek Wright
Lee Rowlands of the Drupal Security Team
Samuel Mortenson
Joseph Zhao