IS Security CERT Global

    • CVE-2021-45802 (iresturant)
      MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because the email and phone parameter values are added to the SQL query without any verification at the time ... read more
    • CVE-2022-21715 (codeigniter)
      CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `APIResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do ... read more
    • CVE-2022-21710 (shortdescription)
      ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, ... read more
    • CVE-2021-45226 (construction_cloud)
      An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites. ... read more
    • CVE-2021-43588 (emc_data_protection_central)
      Dell EMC Data Protection Central version 19.5 contains an Improper Input Validation Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. ... read more
    • CVE-2021-43589 (emc_unity_operating_environment, emc_unity_xt_operating_environment, emc_unityvsa_operating_environment)
      Dell EMC Unity, Dell EMC UnityVSA and Dell EMC Unity XT versions prior to 5.1.2.0.5.007 contain an operating system (OS) command injection Vulnerability. A locally authenticated user with high privileges ... read more
    • CVE-2021-36349 (emc_data_protection_central)
      Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this ... read more
    • CVE-2021-46113 (kea-hotel-erp)
      In MartDevelopers KEA-Hotel-ERP open source as of 12-31-2021, a remote code execution vulnerability can be exploited by uploading PHP files using the file upload vulnerability in this service. ... read more
    • CVE-2022-22554 (emc_system_update)
      Dell EMC System Update, version 1.9.2 and prior, contain an Unprotected Storage of Credentials vulnerability. A local attacker with user privleges could potentially exploit this vulnerability leading to the disclosure ... read more
    • CVE-2020-17383 (z/ip_one_firmware)
      A directory traversal vulnerability on Telos Z/IP One devices through 4.0.0r grants an unauthenticated individual root level access to the device's file system. This can be used to identify configuration ... read more
    • CVE-2021-45803 (iresturant)
      MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because this view parameter value is added to the SQL query without additional verification when viewing reservation. ... read more
    • CVE-2021-34073
      A Cross Site Scripting (XSS) vulnerabilty exists in Sourcecodester Gadget Works Online Ordering System in PHP/MySQLi 1.0 via the Category parameter in an add function in category/index.php. ... read more
    • CVE-2021-40395
      ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: ... read more
    • CVE-2021-45898
      SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion. ... read more
    • CVE-2021-45897
      SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution. ... read more
    • CVE-2022-22294
      A SQL injection vulnerability exists in ZFAKA<=1.43 which an attacker can use to complete SQL injection in the foreground and add a background administrator account. ... read more
    • CVE-2021-45899
      SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution. ... read more
    • CISA Adds Eight Known Exploited Vulnerabilities to Catalog
      Original release date: January 28, 2022CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in ... read more
    • In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in)
      Wir suchen derzeit: Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung Python Entwickler:in ... read more
    • CVE-2020-25905
      An SQL Injection vulnerabilty exists in Sourcecodester Mobile Shop System in PHP MySQL 1.0 via the email parameter in (1) login.php or (2) LoginAsAdmin.php. ... read more
    • CVE-2021-44249
      Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Blind Time-Based SQL Injection attack within the login portal. This can lead attackers to remotely dump MySQL database credentials. ... read more
    • CVE-2021-45435
      An SQL Injection vulnerability exists in Sourcecodester Simple Cold Storage Management System using PHP/OOP 1.0 via the username field in login.php. ... read more
    • CVE-2022-23096
      An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation lacks a check for the presence of sufficient Header Data, leading to an ... read more
    • CVE-2022-23863
      Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. ... read more
    • CVE-2022-23098
      An issue was discovered in the DNS proxy in Connman through 1.40. The TCP server reply implementation has an infinite loop if no data is received. ... read more
    • CVE-2022-23097
      An issue was discovered in the DNS proxy in Connman through 1.40. forward_dns_reply mishandles a strnlen call, leading to an out-of-bounds read. ... read more
    • CVE-2021-45225 (construction_cloud)
      An issue was discovered in COINS Construction Cloud 11.12. Due to improper input neutralization, it is vulnerable to reflected cross-site scripting (XSS) via malicious links (affecting the search window and ... read more
    • CVE-2021-43420 (online_payment_hub)
      SQL injection vulnerability in Login.php in Sourcecodester Online Payment Hub v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter. ... read more
    • CVE-2021-40596 (online_learning_system)
      SQL injection vulnerability in Login.php in sourcecodester Online Learning System v2 by oretnom23, allows attackers to execute arbitrary SQL commands via the faculty_id parameter. ... read more
    • CVE-2021-45342 (librecad)
      A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document. ... read more
    • CVE-2021-45222 (construction_cloud)
      An issue was discovered in COINS Construction Cloud 11.12. Due to logical flaws in the human ressources interface, it is vulnerable to privilege escalation by HR personnel. ... read more
    • CVE-2021-40909 (php_crud_without_refresh/reload_using_ajax_and_datatables_tutorial)
      Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, ... read more
    • CVE-2021-41658 (student_quarterly_grading_system)
      Cross Site Scripting (XSS) in Sourcecodester Student Quarterly Grading System by oretnom23, allows attackers to execute arbitrary code via the fullname and username parameters to the users page. ... read more
    • CVE-2021-25031 (image_hover_effects_ultimate)
      The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in ... read more
    • CVE-2021-40908 (purchase_order_management_system)
      SQL injection vulnerability in Login.php in Sourcecodester Purchase Order Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter. ... read more
    • CVE-2021-44981 (quickbox)
      In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell ... read more
    • CVE-2021-40907 (storage_unit_rental_management_system)
      SQL injection vulnerability in Sourcecodester Storage Unit Rental Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /storage/classes/Login.php. ... read more
    • CVE-2021-45223 (construction_cloud)
      An issue was discovered in COINS Construction Cloud 11.12. Due to insufficient input neutralization, it is vulnerable to denial of service attacks via forced server crashes. ... read more
    • CVE-2022-22296 (hospital's_patient_records_management_system)
      Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be ... read more
    • CVE-2021-25015 (mycred)
      The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue ... read more
    • CVE-2021-41472 (simple_membership_system_using_php_and_ajax)
      SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters. ... read more
    • CVE-2021-45343 (librecad)
      In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document. ... read more
    • CVE-2021-25028 (event_tickets)
      The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue ... read more
    • CVE-2021-41471 (south_gate_inn_online_reservation_system)
      SQL injection vulnerability in Sourcecodester South Gate Inn Online Reservation System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the email and Password parameters. ... read more
    • CVE-2022-0269 (yetiforce_customer_relationship_management)
      Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0. ... read more
    • CVE-2021-45224 (construction_cloud)
      An issue was discovered in COINS Construction Cloud 11.12. In several locations throughout the application, JavaScript code is passed as a URL parameter. Attackers can trivially alter this code to ... read more
    • Weekly Threat Report 28th January 2022
      Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC ... read more
    • CERT-SE:s veckobrev v.4
      I veckans nyhetsbrev blir det som vanligt artiklar om skadlig kod och phishing. Det blir också ett par artiklar om Log4Shell. NCSC-UK och CISA ger råd om hur man kan ... read more
    • CVE-2022-23855 (enterprise_identity_cloud)
      An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An authentication bypass in ECM/maintenance/forgotpasswordstep1 allows an unauthenticated user to reset passwords and login as any local account. ... read more
    • CVE-2022-23856 (enterprise_identity_cloud)
      An issue was discovered in Saviynt Enterprise Identity Cloud (EIC) 5.5 SP2.x. An attacker can enumerate users by changing the id parameter, such as for the ECM/maintenance/forgotpasswordstep1 URI. ... read more
Title Category Tag

Building Innovative Public-Private-Partnerships for Effective and Equitable WSS Services – Project Financing

InfrastructurePPPProjectFinance epcm governments infrastructure

Accelerating Action CDP Global Water Report 2015 – Project Financing

InfrastructureProjectFinanceWater governments infrastructure water

Deloitte NASCIO Cybersecurity Study – State Governments at Risk – Cybersecurity

CybersecurityInfrastructureSmartCities cybersecurity infosec

US DOE CIB – 21 Steps to Improve Cyber Security of SCADA Networks – Cybersecurity

CybersecurityIIOTInfrastructure cybersecurity ICS SCADA