Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2289PUBLISHED: 2022-07-03Use After Free in GitHub repository vim/vim prior to 9.0.
CVE-2022-2288PUBLISHED: 2022-07-03Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
CVE-2022-2290PUBLISHED: 2022-07-03Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta.
CVE-2022-2287PUBLISHED: 2022-07-02Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-34911PUBLISHED: 2022-07-02
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the usern...
User Rank: Author
1/8/2015 | 3:23:31 PM
I probably did sound contradictary in the comments you highlighted. Great catch. I did not do a good job in defining where I am talking about threat and where i am talking about data/applications.
In the first reference, I was referring to Data and Applications. In other words, you cannot protect all of your data and applications, you should aggressively segement and control access to your company crown jewels.
In the second reference, I am referring to threat. I am trying to coach CISO's and business owners to assume you are a target. Too many companies, like CodeSpaces, probably believe they are not a target because they do not have something of value to criminals (i.e. Credit card data, Electronic Health Records). Even in this case, these companies should still NOT try to protect their whole environment, especially if it is very complex or dynamic. They should still identify the company crown jewels and aggressively segement. In the use case of CodeSpaces, they might have been saved by 2 factor auth for their admin access to their cloud envrionment.
Hopefully that clears up the confusion, thanks for asking for clarification.