News & Sicurezza
Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.
24751 risultati
CVE ID :CVE-2026-12602 Published : June 22, 2026, 12:34 p.m. | 3 hours, 9 minutes ago Description :Incorrect default permissions in ArubaSign, affecting versions prior to v4.6.6. The vulnerability is caused by the assignment of inappropriate permissions during the software’s default installation, whereby the main executable and other programme files located in C:\Program Files have excessive permissions for the ‘Everyone’ group. This could allow an unprivileged user to replace the main executable and/or its components with a malicious file, thereby enabling the execution of arbitrary code. In the worst-case scenario, if the malicious code is executed with elevated privileges (such as those of Administrator or SYSTEM), the attacker could escalate privileges and gain full control of the system, compromising both security and data integrity. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56446 Published : June 22, 2026, 12:31 p.m. | 3 hours, 12 minutes ago Description :MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Stop Your Legacy Infrastructure from Hijacking Your AI Agents Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security progra ... Read more Published Date: Jun 22, 2026 (4 days, 1 hour ago) Vulnerabilities has been mentioned in this article. CVE-2026-11645 CVE-2025-24813
CVE ID :CVE-2026-56422 Published : June 22, 2026, 11:43 a.m. | 2 hours ago Description :Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object. In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context. The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned. Severity: 9.4 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11373 Published : June 22, 2026, 11:28 a.m. | 2 hours, 15 minutes ago Description :Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More It’s Monday again. This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking ... Read more Published Date: Jun 22, 2026 (4 days, 2 hours ago) Vulnerabilities has been mentioned in this article.
CVE ID :CVE-2026-12581 Published : June 22, 2026, 9:30 a.m. | 4 hours, 13 minutes ago Description :EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12580 Published : June 22, 2026, 9:26 a.m. | 4 hours, 17 minutes ago Description :EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2023-45795 Published : June 22, 2026, 9:06 a.m. | 4 hours, 37 minutes ago Description :A cross-site scripting vulnerability in the Builder Component of Pilz PASvisu before 1.14.1 allows a local unauthenticated attacker to inject malicious javascript and gain full control over the device. Severity: 7.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2023-45796 Published : June 22, 2026, 9:04 a.m. | 4 hours, 39 minutes ago Description :A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12863 Published : June 22, 2026, 8:41 a.m. | 5 hours, 2 minutes ago Description :An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12862 Published : June 22, 2026, 8:26 a.m. | 5 hours, 17 minutes ago Description :Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Pagina 158 di 2063