Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2289PUBLISHED: 2022-07-03Use After Free in GitHub repository vim/vim prior to 9.0.
CVE-2022-2288PUBLISHED: 2022-07-03Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
CVE-2022-2290PUBLISHED: 2022-07-03Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta.
CVE-2022-2287PUBLISHED: 2022-07-02Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-34911PUBLISHED: 2022-07-02
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the usern...
User Rank: Ninja
1/14/2015 | 12:16:11 PM
Imagine a company that has invested heavily in (at the time) state of the art security appliances. They pour lots of dollars into installation, configuration, training, optimization, etc. Well, what was state of the art then becomes somewhat outdated very rapidly given the ever changing threat landscape, increasing sophistication of the attack vectors, and mitigating technology advances. The company then has to spend a lot every year just to update and maintain those systems (hopefully not forklift and replace them), and train employees on the updates, in addition to whatever "normal" training they have to undergo. Outsourcing the hardware and monitoring components seems like a more reasonable and predictable cost. Within the company, there needs to be a very comprehensive and well defined Event and Incident Response strategy that can rapidly act upon any suspect event identified by the solution provider. Target had a similar model, but the breach was largely aided by an improperly handled event; their security personnel were notified of the suspect event (malware presence) by their service provider, but their incident handling procedures failed them.
I'm sure many companies have the strategy where they throw technology in to resolve a security gap, giving them an increased sense of security, but in reality, unless the companies have a sound security strategy in place that is based on well known basic security practices (such as the SANS 20 Critical Controls among others), all that technology will only serve as a false sense of security.