Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-31856PUBLISHED: 2022-07-05Newsletter Module v3.x was discovered to contain a SQL injection vulnerability via the zemez_newsletter_email parameter at /index.php.
CVE-2022-32310PUBLISHED: 2022-07-05An access control issue in Ingredient Stock Management System v1.0 allows attackers to take over user accounts via a crafted POST request to /isms/classes/Users.php.
CVE-2022-32311PUBLISHED: 2022-07-05Ingredient Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /isms/admin/stocks/view_stock.php.
CVE-2022-32413PUBLISHED: 2022-07-05An arbitrary file upload vulnerability in Dice v4.2.0 allows attackers to execute arbitrary code via a crafted file.
CVE-2022-34972PUBLISHED: 2022-07-05So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data.
User Rank: Ninja
1/14/2015 | 12:16:11 PM
Imagine a company that has invested heavily in (at the time) state of the art security appliances. They pour lots of dollars into installation, configuration, training, optimization, etc. Well, what was state of the art then becomes somewhat outdated very rapidly given the ever changing threat landscape, increasing sophistication of the attack vectors, and mitigating technology advances. The company then has to spend a lot every year just to update and maintain those systems (hopefully not forklift and replace them), and train employees on the updates, in addition to whatever "normal" training they have to undergo. Outsourcing the hardware and monitoring components seems like a more reasonable and predictable cost. Within the company, there needs to be a very comprehensive and well defined Event and Incident Response strategy that can rapidly act upon any suspect event identified by the solution provider. Target had a similar model, but the breach was largely aided by an improperly handled event; their security personnel were notified of the suspect event (malware presence) by their service provider, but their incident handling procedures failed them.
I'm sure many companies have the strategy where they throw technology in to resolve a security gap, giving them an increased sense of security, but in reality, unless the companies have a sound security strategy in place that is based on well known basic security practices (such as the SANS 20 Critical Controls among others), all that technology will only serve as a false sense of security.