Month: October 2022

Original release date: October 31, 2022   High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info 10web — form_maker The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by… Read more

Original release date: October 31, 2022 CISA has released two fact sheets to highlight threats against accounts and systems using certain forms of multifactor authentication (MFA). CISA strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats. If an organization using mobile push-notification-based MFA is unable to implement… Read more

Original release date: October 28, 2022 CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Understanding and Responding to Distributed Denial-of-Service Attacks provide organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks. The guidance is for both network defenders and leaders to… Read more

Original release date: October 24, 2022 CISA has added six vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on… Read more

Original release date: October 24, 2022   High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info 74cms — 74cmsse An arbitrary file upload vulnerability in the component /apiadmin/upload/attach of 74cmsSE v3.13.0 allows attackers to execute arbitrary code via a crafted PHP file. 2022-10-17 9.8 CVE-2022-42154 MISC acer — altos_w2000h-w570h_f4_firmware Acer… Read more

Original release date: October 21, 2022 CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have released a joint Cybersecurity Advisory (CSA), #StopRansomware: Daixin Team to provide information on the “Daixin Team,” a cybercrime group actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector,… Read more

Original release date: October 21, 2022 Summary Actions to take today to mitigate cyber threats from ransomware: • Install updates for operating systems, software, and firmware as soon as they are released. • Require phishing-resistant MFA for as many services as possible. • Train users to recognize and report phishing attempts. Note: This joint Cybersecurity… Read more

Original release date: October 21, 2022 Cisco has released a security update to address vulnerabilities affecting Cisco Identity Services Engine (ISE). A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing high and low severity vulnerabilities, see the Cisco Security Advisories page.  CISA encourages users and administrators to… Read more

Original release date: October 17, 2022 | Last revised: October 18, 2022   High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info adobe — acrobat_reader Adobe Acrobat Reader versions 22.002.20212 (and earlier) and 20.005.30381 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code… Read more

Original release date: October 14, 2022 CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making. For more information, CISA encourages users to review RedEye on GitHub and watch CISA’s… Read more