CISA Added GLPI Command Injection Vulnerability to its KEV Catalog (CVE-2022-35914)

GLPI, an open-source IT Asset Management software, is vulnerable to a command injection flaw that could lead to remote code execution on successful exploitation. The critical severity vulnerability is tracked as CVE-2022-35914 and has a CVSSv3 score of 9.8. GLPI patched the vulnerability on September 14, 2022. The advisory states, “CVE-2022-35914 has been massively exploited … Continue reading “CISA Added GLPI Command Injection Vulnerability to its KEV Catalog (CVE-2022-35914)”

Apache Spark Command Injection Vulnerability (CVE-2022-33891)

Kostya Kortchinsky has discovered a command injection vulnerability in the Apache Spark User Interface (UI). Assigned with CVE-2022-33891, the vulnerability can be exploited when Access Control Lists (ACLs) are enabled. Apache fixed the vulnerability on July 18, 2022; however, the flaw is being exploited in the wild. CISA has added the vulnerability to its Known … Continue reading “Apache Spark Command Injection Vulnerability (CVE-2022-33891)”

ArubaOS Multiple Vulnerabilities (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, and CVE-2023-22752)

Aruba Networks has released a security advisory to address 33 vulnerabilities that affect different versions of ArubaOS. The vulnerabilities affect various products, including Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways. Out of these 33 vulnerabilities, six are rated as critical. CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750 are critical severity command … Continue reading “ArubaOS Multiple Vulnerabilities (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, and CVE-2023-22752)”

Cacti Unauthenticated Command Injection Vulnerability (CVE-2022-46169)

Cacti, a web-based device monitoring tool, is vulnerable to a critical command injection vulnerability. Tracked as CVE-2022-46169, this vulnerability requires no authentication for exploitation. On successful exploitation, this could allow an unauthenticated attacker to execute arbitrary code if a specific data source was selected for any monitored device. Cacti is a network monitoring and graphing … Continue reading “Cacti Unauthenticated Command Injection Vulnerability (CVE-2022-46169)”

Atlassian Patches Critical Command Injection Vulnerability in Bitbucket Server and Data Center (CVE-2022-43781)

Atlassian has released a security advisory to address a critical vulnerability in Bitbucket Server and Data Center (CVE-2022-43781). Bitbucket is a Git-based code hosting and collaboration tool built for teams. Bitbucket Server is hosted on-premises while the Bitbucket Data Center is hosted on several servers in a cluster in your environment. CVE-2022-43781 is a command … Continue reading “Atlassian Patches Critical Command Injection Vulnerability in Bitbucket Server and Data Center (CVE-2022-43781)”