Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25878PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.
This vulnerability can occur in multiple ways:
1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
CVE-2021-27780PUBLISHED: 2022-05-27The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
CVE-2021-27781PUBLISHED: 2022-05-27The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
CVE-2022-1897PUBLISHED: 2022-05-27Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-20666PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
These vulnerabilities are due to insufficient va...
User Rank: Strategist
6/23/2017 | 11:38:43 AM
Until a dedicated exchange or forum exists (besides the existing tools that mesh subscriber detections today) that anonymizes the reporting entity sources, we won't see any real open collaboration. The fundamental problem in this interchange model is that the closer you get to anonymity the farther you get from assurance and authenticity. Meaning, the reliability of threat articulation from an anonymous source is less than a vetted representative from "MegaCorp, LLC" proper. This could be overcome by a intermediate, sanctioned broker to ensure the reporting entity is genuine.
Until the exchange mechanism is sexy and "now" it won't work either. The threat intelligence collaboration and sharing service needs to solidly be edgy social media. Think "HackedIn" and not some cold, corporate or government offering that reads like RFC's and NIST documentation.
Until the threat intelligence interchange is highly automated, it won't be accepted. MegaCorp is not going to dedicate service agents or ongoing labor to the contributions nor consuming content. If the end-all solution doesn't facilitate fast-flux transactions in both directions and provide actionable output that itself can be automated, it won't be widely adopted.