Live from Microsoft Ignite 2022: Introducing new AI, automation, and collaboration capabilities for Dynamics 365  

Live from Microsoft Ignite 2022: Introducing new AI, automation, and collaboration capabilities for Dynamics 365  

by | Oct 12, 2022 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

At Microsoft Ignite 2022, we are showcasing new AI, automation, and collaborative solutions that help your business be more efficient, engage better across teams and departments, and deliver more breakthrough customer experiences. By helping your business better connect people, data, and processes, you can be more agile and reduce complexity, so you can do more with less.

In a special Into Focus session, we will showcase these and other new investments introduced in our second biannual release wave, release wave 2, to help you adapt to change, innovate, and modernize your processes across the organizationfrom sales to service to supply chain and finance.

Product updates at a glance

Be more efficient with new AI and automation updates:

  • Empower sellers to focus on closing deals with Microsoft Viva Sales, the new seller experience application is now generally available.
  • Make every sales conversation more useful and engaging with conversation intelligence, available for no extra charge in Microsoft Dynamics 365 Sales Enterprise and Viva Sales.
  • Create more consistent sales processes with sequencing for sales in Dynamics 365 Sales.
  • Enable service agents to better serve customers with AI-generated conversation summaries in Microsoft Dynamics 365 Customer Service.

Collaborate in the flow of work with new integrations between Microsoft Teams and Microsoft Dynamics 365:

  • Solve complex service cases faster by easily collaborating with subject matter experts over Teams, right within Microsoft Dynamics 365 Customer Service.
  • Enable Teams users to access Dynamics 365 Business Central dataeven without a Dynamics 365 license.

Improve employee and customer experiences with AI and automation

We continue to infuse AI and automation into business processes, driving more effective customer journeys. The updates we are introducing will help marketers, sellers, and service agents to hyper-personalize customer experiences.

Introducing unlimited conversation intelligence for Dynamics 365 Sales Enterprise and Viva Sales

Sellers can take advantage of new AI capabilities that help them prioritize their work and surface in-context collaboration experiences so that they can reclaim time to engage more authentically and efficiently.

Now generally available, Viva Sales is a new seller experience application that brings together any customer relationship management (CRM) system, Microsoft 365, and Teams to provide a more streamlined and AI-powered selling experience. Viva Sales captures customer insights and deal insights from Microsoft 365including Outlook emails and Teams chatsand then populates it within any CRM system, eliminating manual data entry and freeing time to focus on selling.

Additionally, while meeting with customers in a Teams call, sellers can record and transcribe the meeting to get a rich summary using conversation intelligence. The meeting summary helps sellers understand the overall sentiment of the call and tracks helpful conversation key performance indicators (KPIs), such as a seller’s talk-to-listen ratio.

We are confident that conversation intelligence will change the way sellers engage with customers, and we want to make it available to as many sellers as possible. That’s why we are announcing that users of both Microsoft Dynamics 365 Sales Enterprise and Viva Sales will have full access to conversation intelligence capabilities at no extra charge.

In addition, we are announcing several feature updates, coming to preview early next year, for sales conversation intelligence, including:

  • Real-time, in-conversation content suggestions: As sellers engage customers on a Teams call or meeting, they will be guided with content to share or help inform the conversation, such as product and pricing details and competitive battle cardsall surfaced in real time as they chat.
  • Recommended resources and insights: Content such as talking points, important mentions, customer sentiment, and conversation stylehelp provide a deeper understanding of what comprises winning sales strategies and how sellers’ behaviors directly correlate to business results.
  • Email intelligence: This supports sellers suggesting prompts for updates needed in your CRM.

Learn more about conversation intelligence in this detailed blog post. Also, read more about what’s possible with Viva Sales.

Enable sales journey orchestration with new sequencing for sales features

We are also introducing new AI-powered sequencingfor sales capabilities for Dynamics 365 Sales that help create consistent step-by-step activities for sellers to perform in the selling process, giving them a better understanding of what to do next. With sequencing for sales, sellers are empowered to build similar customer journeys ensuring the best experiences for their customers and their sellers.

All of these updates join a host of new features for Dynamics 365 Sales and Dynamics 365 Marketing, which introduce moments-based marketing with real-time journey orchestration, using AI to market at scale and achieve higher levels of marketing maturity.

Watch 2022 release wave 2 release highlights for Dynamics 365 Sales.

Empower service agents to always exceed customer expectations

As a frontline for customer satisfaction and retention, service agents need modern tools to scale the personalized support customers need. In the 2022 release wave 2, our focus is on enriching contact centers with AI and automation across every engagement channel.

Earlier this year, we introduced the Microsoft Digital Contact Center Platform, an open, extensible, and collaborative contact center solution. The platform is powered by Dynamics 365, Teams, Microsoft Power Platform, and Nuancedelivering best-in-class AI that powers self-service experiences, live customer engagements, collaborative agent experiences, business process automation, advanced telephony, and fraud prevention capabilities.   

We are introducing the ability to automate an AI-generated conversation summary in Dynamics 365 Customer Service when an agent uses the embedded Teams capabilities. This accelerates issue resolution with an auto-generated structured conversation summary that shares context, including the summary of the customer issue and the result of the resolution tried by the agent. In addition, agents can review a customer’s previous chat history to get visibility and context to conversations. This is especially helpful in scenarios where a customer service agent has a case transferred to them.

The feature is in preview as part of Dynamics 365 Customer Service and is expected to be generally available in October 2022.

Watch 2022 release wave 2 release highlights for Dynamics 365 Customer Service.

More ways to collaborate in the flow of work with Teams and Dynamics 365

At last year’s Microsoft Ignite, we introduced Context IQ, a set of capabilities for Dynamics 365 and Microsoft 365 that enables business users to access documents and records, colleagues across the organization, and conversations in the flow of work, whether from within Dynamics 365 or Microsoft 365 applications.

We’ve already embedded Teams within Dynamics 365 Sales, helping sellers to team up with other sellers and subject matter experts to close deals faster. Now, we’re extending the integrated Teams experience to other Dynamics 365 applications.

Now in preview and slated for general availability in October 2022, service agents can engage with colleagues over Teams chat right from within Dynamics 365 Customer Service. This enables agents to solve complex service cases faster by easily collaborating with subject matter experts within the organization, such as agents from other departments, supervisors, customer service peers, or support experts. Chats over Teams will be linked directly to customer service records, enabling a contextual experience.

For small and medium-sized businesses (SMBs), 2022 release wave 2 updates for Dynamics 365 Business Central include new ways to collaborate and share data over Teams. Starting November 4, 2022, Teams users will have access to Business Central data from within the collaboration app, regardless of whether they have a Dynamics 365 license. Admins will be able to set permission and access rules to restrict access to business records. Business Central users can invite people from across the organization to connect and collaborate in the flow of work, no matter where they work.

With Business Central embedded in Teams, people can collaborate on critical initiatives and projects directly where they connect. SMBs can now ensure that all team members are empowered with Context IQaccess to the right information and insights contextually, wherever, and however they work.

Learn more

These updates are just a few of the hundreds of new and updated capabilities in the 2022 release wave 2. We invite you to virtually attend our Microsoft Ignite Into Focus session on Wednesday, October 12, streaming live at 3:00 PM Pacific Time, then on-demand, for a first look at the new innovations coming to market. In addition to overviews of new innovations in release wave 2, we will spotlight customers using these new technologies to drive better operational outcomes and customer success.

Be sure to also check out our roadmap for detailed release plans for Dynamics 365 and Power Platform

The post Live from Microsoft Ignite 2022: Introducing new AI, automation, and collaboration capabilities for Dynamics 365   appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

New tools from Microsoft 365, Edge, and Bing bridge the gap between productivity and creativity

New tools from Microsoft 365, Edge, and Bing bridge the gap between productivity and creativity

by | Oct 12, 2022 | Business, Hybrid Work, Microsoft 365, Technology

This article is contributed. See the original author and article here.

I’m thrilled to announce new consumer tools in Microsoft 365, Microsoft Edge, and Bing designed to help all of us ignite our imagination and express ourselves. Everything begins with an idea but getting started and capturing your individuality isn’t always easy. For anyone who is trying to create, we aimed to solve a few key challenges with creating and sharing content.

The post New tools from Microsoft 365, Edge, and Bing bridge the gap between productivity and creativity appeared first on Microsoft 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Adobe Releases Security Updates for Multiple Products

by | Oct 11, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Adobe Security Bulletins and apply the necessary updates.
•    Adobe Cold Fusion APSB22-44 
•    Adobe Acrobat and Reader APSB22-46
•    Adobe Commerce and Magneto Open Source APSB22-48
•    Adobe Dimension APSB22-57

Microsoft Releases October 2022 Security Updates

Microsoft Releases October 2022 Security Updates

by | Oct 11, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

SSL

Secure .gov websites use HTTPS

A lock (lock icon) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Released: October 2022 Exchange Server Security Updates

Released: October 2022 Exchange Server Security Updates

by | Oct 11, 2022 | Technology

This article is contributed. See the original author and article here.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:



  • Exchange Server 2013

  • Exchange Server 2016

  • Exchange Server 2019


SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.


The October 2022 SUs are available for the following specific versions of Exchange Server:



The SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Our recommendation is to immediately install these updates to protect your environment.


These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating any Exchange servers in their environment.


NOTE   The October 2022 SUs do not contain fixes for the zero-day vulnerabilities reported publicly on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082). Please see this blog post to apply mitigations for those vulnerabilities. We will release updates for CVE-2022-41040 and CVE-2022-41082 when they are ready.


Also note that we have re-released some CVEs published in August 2022, to highlight the resolution of known issue. More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).


Enable Windows Extended Protection


Starting with the August 2022 SUs, Exchange Server supports the Windows Extended Protection (EP) feature, which can help you protect your environments from authentication relay or “man in the middle” (MitM) attacks. If you have not yet enabled EP in your environment, please install the October SUs which address a known issue in Exchange EP support (see below). Then, review the information in the Manual Enablement of Extended Protection section of our August announcement for more details.


Customers who have already installed the August 2022 SUs and have enabled EP do not need to re-run the EP script after installing the October SUs.


Update installation


The following update paths are available:


Oct2022SUPath.png



Known issues with this release


We are not aware of any known issues with this release.


Issues resolved by this release



  • In Exchange 2013, Exchange 2016, and Exchange 2019 various Outlook and compliance-related monitoring probes show as Failed once EP is enabled.


FAQs


My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
Exchange Online is already protected, but the October 2022 SUs need to be installed on your Exchange servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard after installing these updates.


Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers and workstations running only the Management tools role (no Exchange services) do not need these updates.


This post might receive future updates; they will be listed here (if available).


The Exchange Server Team

CISA Has Added One Known Exploited Vulnerability to Catalog

by | Oct 11, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This type of vulnerability is a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.      

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.   

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria. 

Vulnerability Summary for the Week of October 3, 2022

by | Oct 11, 2022 | Security, Technology

This article is contributed. See the original author and article here.

actian — psql If folder security is misconfigured for Actian Zen PSQL BEFORE Patch Update 1 for Zen 15 SP1 (v15.11.005), Patch Update 4 for Zen 15 (v15.01.017), or Patch Update 5 for Zen 14 SP2 (v14.21.022), it can allow an attacker (with file read/write access) to remove specific security files in order to reset the master password and gain access to the database. 2022-09-30 8.8 CVE-2022-40756
MISC
MISC apache — airflow In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn’t prevent an already authenticated user from being able to continue using the UI or API. 2022-10-07 8.1 CVE-2022-41672
CONFIRM
CONFIRM apache — commons_jxpath Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution. 2022-10-06 9.8 CVE-2022-41852
MISC arubanetworks — instant There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address these security vulnerabilities. 2022-10-06 9.8 CVE-2022-37888
MISC asus — rt-ax56u_firmware A stack overflow vulnerability exists in the httpd service in ASUS RT-AX56U Router Version 3.0.0.4.386.44266. This vulnerability is caused by the strcat function called by “caupload” input handle function allowing the user to enter 0xFFFF bytes into the stack. This vulnerability allows an attacker to execute commands remotely. The vulnerability requires authentication. 2022-10-06 8.8 CVE-2021-40556
CONFIRM
MISC autodesk — autocad A maliciously crafted X_B, CATIA, and PDF file when parsed through Autodesk AutoCAD 2023 and 2022 can be used to write beyond the allocated buffer. This vulnerability can lead to arbitrary code execution. 2022-10-03 7.8 CVE-2022-33885
MISC autodesk — autocad A maliciously crafted MODEL and SLDPRT file can be used to write beyond the allocated buffer while parsing through Autodesk AutoCAD 2023 and 2022. The vulnerability exists because the application fails to handle crafted MODEL and SLDPRT files, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code. 2022-10-03 7.8 CVE-2022-33886
MISC autodesk — autocad A maliciously crafted PDF file when parsed through Autodesk AutoCAD 2023 causes an unhandled exception. An attacker can leverage this vulnerability to cause a crash or read sensitive data or execute arbitrary code in the context of the current process. 2022-10-03 7.8 CVE-2022-33887
MISC autodesk — autocad A malicious crafted Dwg2Spd file when processed through Autodesk DWG application could lead to memory corruption vulnerability by write access violation. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2022-10-03 7.8 CVE-2022-33888
MISC autodesk — autocad Parsing a maliciously crafted X_B file can force Autodesk AutoCAD 2023 and 2022 to read beyond allocated boundaries. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2022-10-03 7.5 CVE-2022-33884
MISC autodesk — autodesk_desktop Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code. 2022-10-03 9.8 CVE-2022-33882
MISC autodesk — design_review A maliciously crafted GIF or JPEG files when parsed through Autodesk Design Review 2018, and AutoCAD 2023 and 2022 could be used to write beyond the allocated heap buffer. This vulnerability could lead to arbitrary code execution. 2022-10-03 7.8 CVE-2022-33889
MISC autodesk — design_review A maliciously crafted PCT or DWF file when consumed through DesignReview.exe application could lead to memory corruption vulnerability. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2022-10-03 7.8 CVE-2022-33890
MISC autodesk — moldflow_synergy A malicious crafted file consumed through Moldflow Synergy, Moldflow Adviser, Moldflow Communicator, and Advanced Material Exchange applications could lead to memory corruption vulnerability. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2022-10-03 7.8 CVE-2022-33883
MISC autodesk — subassembly_composer A maliciously crafted PKT file when consumed through SubassemblyComposer.exe application could lead to memory corruption vulnerability. This vulnerability in conjunction with other vulnerabilities could lead to code execution in the context of the current process. 2022-10-03 7.8 CVE-2022-41301
MISC axiosys — bento4 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBits function in mp4mux. 2022-10-03 8.8 CVE-2022-41428
MISC axiosys — bento4 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_Atom::TypeFromString function in mp4tag. 2022-10-03 8.8 CVE-2022-41429
MISC axiosys — bento4 Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadBit function in mp4mux. 2022-10-03 8.8 CVE-2022-41430
MISC backdropcms — backdrop_cms Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via ‘themes’ that allows attackers to Remote Code Execution. 2022-10-07 7.2 CVE-2022-42092
MISC billing_system_project_project — billing_system_project Billing System Project v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/createProduct.php. 2022-09-30 7.2 CVE-2022-41437
MISC billing_system_project_project — billing_system_project Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/edituser.php. 2022-09-30 7.2 CVE-2022-41439
MISC billing_system_project_project — billing_system_project Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /phpinventory/editcategory.php. 2022-09-30 7.2 CVE-2022-41440
MISC bookingultrapro — booking_ultra_pro_appointments_booking_calendar Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Booking Ultra Pro plugin <= 1.1.4 at WordPress. 2022-09-30 8.8 CVE-2021-36854
CONFIRM
CONFIRM bus_pass_management_system_project — bus_pass_management_system Bus Pass Management System 1.0 was discovered to contain a SQL Injection vulnerability via the searchdata parameter at /buspassms/download-pass.php.. 2022-09-30 9.8 CVE-2022-35156
MISC
MISC
MISC cisco — ios_xe A vulnerability in the DHCP processing functionality of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the improper processing of DHCP messages. An attacker could exploit this vulnerability by sending malicious DHCP messages to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. 2022-09-30 7.5 CVE-2022-20847
CISCO cisco — ios_xe A vulnerability in the UDP processing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst 9100 Series Access Points could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the improper processing of UDP datagrams. An attacker could exploit this vulnerability by sending malicious UDP datagrams to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. 2022-09-30 7.5 CVE-2022-20848
CISCO cisco — ios_xe A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) Mobility messages in Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a logic error and improper management of resources related to the handling of CAPWAP Mobility messages. An attacker could exploit this vulnerability by sending crafted CAPWAP Mobility packets to an affected device. A successful exploit could allow the attacker to exhaust resources on the affected device. This would cause the device to reload, resulting in a DoS condition. 2022-09-30 7.5 CVE-2022-20856
CISCO cisco — ios_xe A vulnerability in the processing of malformed Common Industrial Protocol (CIP) packets that are sent to Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to unexpectedly reload, resulting in a denial of service (DoS) condition. This vulnerability is due to insufficient input validation during processing of CIP packets. An attacker could exploit this vulnerability by sending a malformed CIP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to unexpectedly reload, resulting in a DoS condition. 2022-09-30 7.5 CVE-2022-20919
CISCO cisco — ios_xe A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To exploit this vulnerability, an attacker must have valid Administrator privileges on the affected device. 2022-09-30 7.2 CVE-2022-20851
CISCO cisco — sd-wan_vbond_orchestrator Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user. 2022-09-30 7.8 CVE-2022-20818
CISCO cisco — sd-wan_vmanage Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user. 2022-09-30 7.8 CVE-2022-20775
CISCO cisco — sd-wan_vsmart_controller A vulnerability in the CLI of stand-alone Cisco IOS XE SD-WAN Software and Cisco SD-WAN Software could allow an authenticated, local attacker to delete arbitrary files from the file system of an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary file path information when using commands in the CLI of an affected device. A successful exploit could allow the attacker to delete arbitrary files from the file system of the affected device. 2022-09-30 7.1 CVE-2022-20850
CISCO cloudflare — goflow sflow decode package does not employ sufficient packet sanitisation which can lead to a denial of service attack. Attackers can craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service. 2022-09-30 7.5 CVE-2022-2529
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php or_where() function. 2022-10-07 9.8 CVE-2022-40824
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php where_in() function. 2022-10-07 9.8 CVE-2022-40825
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php or_having() function. 2022-10-07 9.8 CVE-2022-40826
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php where() function. 2022-10-07 9.8 CVE-2022-40827
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php or_where_not_in() function. 2022-10-07 9.8 CVE-2022-40828
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php or_like() function. 2022-10-07 9.8 CVE-2022-40829
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php where_not_in() function. 2022-10-07 9.8 CVE-2022-40830
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php like() function. 2022-10-07 9.8 CVE-2022-40831
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php having() function. 2022-10-07 9.8 CVE-2022-40832
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php or_where_in() function. 2022-10-07 9.8 CVE-2022-40833
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php or_not_like() function. 2022-10-07 9.8 CVE-2022-40834
MISC codeigniter — codeigniter B.C. Institute of Technology CodeIgniter <=3.1.13 is vulnerable to SQL Injection via systemdatabaseDB_query_builder.php. 2022-10-07 9.8 CVE-2022-40835
MISC creativedream_file_uploader_project — creativedream_file_uploader Arbitrary file upload vulnerability in php uploader 2022-10-03 9.8 CVE-2022-40721
MISC
MISC
MLIST css-what_project — css-what The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function. 2022-09-30 7.5 CVE-2022-21222
CONFIRM
CONFIRM dairy_farm_shop_management_system_project — dairy_farm_shop_management_system Dairy Farm Shop Management System 1.0 is vulnerable to SQL Injection via bwdate-report-ds.php file. 2022-09-30 9.8 CVE-2022-40943
MISC
MISC dairy_farm_shop_management_system_project — dairy_farm_shop_management_system Dairy Farm Shop Management System 1.0 is vulnerable to SQL Injection via sales-report-ds.php file. 2022-09-30 9.8 CVE-2022-40944
MISC
MISC
MISC dedecms — dedecms DedeCMS 5.7.98 has a file upload vulnerability in the background. 2022-10-03 7.2 CVE-2022-40886
MISC dell — hybrid_client Dell Hybrid Client below 1.8 version contains a Zip Slip Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification. 2022-09-30 7.1 CVE-2022-34429
MISC fasterxml — jackson-databind In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. 2022-10-02 7.5 CVE-2022-42003
MISC
MISC
MISC fasterxml — jackson-databind In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. 2022-10-02 7.5 CVE-2022-42004
MISC
MISC
MISC flyte — flyteadmin FlyteAdmin is the control plane for the data processing platform Flyte. Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet. In an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. Users who enable auth but do not override this setting in Flyte Admin’s configuration may unbeknownst to them be allowing public traffic in by way of this default password with attackers effectively impersonating propeller. This only applies to users who have not specified the ExternalAuthorizationServer setting. Usage of an external auth server automatically turns off this default configuration and are not susceptible to this vulnerability. This issue has been addressed in version 1.1.44. Users should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin’s internal auth server. Again, users who use an external auth server are automatically protected from this vulnerability. 2022-10-06 7.5 CVE-2022-39273
MISC
CONFIRM
MISC generex — cs141_firmware Generex CS141 before 2.08 allows remote command execution by administrators via a web interface that reaches run_update in /usr/bin/gxserve-update.sh (e.g., command execution can occur via a reverse shell installed by install.sh). 2022-10-06 7.2 CVE-2022-42457
MISC
MISC
MISC google — android Improper protection in IOMMU prior to SMR Oct-2022 Release 1 allows unauthorized access to secure memory. 2022-10-07 7.8 CVE-2022-39854
MISC gridea — gridea Gridea version 0.9.3 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Gridea. This is possible because the application has the ‘nodeIntegration’ option enabled. 2022-09-30 7.8 CVE-2022-40274
MISC
MISC hitachi — storage_plug-in Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects: Hitachi Storage Plug-in for VMware vCenter 04.8.0. 2022-10-06 8.8 CVE-2022-2637
MISC htmly — htmly Directory Traversal vulnerability in htmly before 2.8.1 allows remote attackers to perform arbitrary file deletions via modified file parameter. 2022-09-30 8.1 CVE-2021-33354
MISC ibm — qradar_security_information_and_event_manager IBM QRadar SIEM 7.4 and 7.5 data node rebalancing does not function correctly when using encrypted hosts which could result in information disclosure. IBM X-Force ID: 225889. 2022-10-07 7.5 CVE-2022-22480
XF
CONFIRM ibm — websphere_automation_for_ibm_cloud_pak_for_watson_aiops IBM WebSphere Automation for Cloud Pak for Watson AIOps 1.4.2 is vulnerable to cross-site request forgery, caused by improper cookie attribute setting. IBM X-Force ID: 226449. 2022-10-07 8.8 CVE-2022-22493
XF
CONFIRM ikus-soft — rdiffweb Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. 2022-10-06 9.8 CVE-2022-3273
MISC
CONFIRM ikus-soft — rdiffweb Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3. 2022-09-30 7.5 CVE-2022-3371
CONFIRM
MISC ikus-soft — rdiffweb Path Traversal in GitHub repository ikus060/rdiffweb prior to 2.4.10. 2022-10-06 7.5 CVE-2022-3389
CONFIRM
MISC innovaphone — innovaphone_firmware AP Manager in Innovaphone before 13r2 Service Release 17 allows command injection via a modified service ID during app upload. 2022-09-30 9.8 CVE-2022-41870
MISC joplinapp — joplin Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the ‘shell.openExternal’ function. 2022-09-30 7.8 CVE-2022-40277
MISC
MISC lighttpd — lighttpd A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67. 2022-10-06 7.5 CVE-2022-41556
MISC
MISC
MISC linuxfoundation — dapr_dashboard Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data. 2022-10-03 7.5 CVE-2022-38817
MISC
MISC microsoft — exchange_server Microsoft Exchange Server Elevation of Privilege Vulnerability. 2022-10-03 8.8 CVE-2022-41040
MISC
CERT-VN microsoft — exchange_server Microsoft Exchange Server Remote Code Execution Vulnerability. 2022-10-03 8.8 CVE-2022-41082
MISC
CERT-VN mojoportal — mojoportal mojoPortal v2.7 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PNG file. 2022-09-30 8.8 CVE-2022-40341
MISC
MISC moodle — moodle A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified. 2022-09-30 9.8 CVE-2022-40314
MISC
MISC moodle — moodle A limited SQL injection risk was identified in the “browse list of users” site administration page. 2022-09-30 9.8 CVE-2022-40315
MISC
MISC moodle — moodle Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk. 2022-10-06 8.8 CVE-2022-2986
MISC
MISC moodle — moodle Recursive rendering of Mustache template helpers containing user input could, in some cases, result in an XSS risk or a page failing to load. 2022-09-30 7.1 CVE-2022-40313
MISC
MISC mybb — mybb MyBB is a free and open source forum software. The _Mail Settings_ ? Additional Parameters for PHP’s mail() function mail_parameters setting value, in connection with the configured mail program’s options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability. 2022-10-06 7.2 CVE-2022-39265
MISC
CONFIRM
MISC
MISC najeebmedia — frontend_file_manager The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE 2022-10-03 8.8 CVE-2022-3125
MISC nedi — nedi In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=. 2022-10-06 9.1 CVE-2022-40895
MISC
MISC
MISC octopus — octopus_server In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. 2022-09-30 9.8 CVE-2022-2778
MISC omron — cx-programmer OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. 2022-10-06 9.8 CVE-2022-3396
CONFIRM omron — cx-programmer OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. 2022-10-06 9.8 CVE-2022-3397
CONFIRM omron — cx-programmer OMRON CX-Programmer 9.78 and prior is vulnerable to an Out-of-Bounds Write, which may allow an attacker to execute arbitrary code. 2022-10-06 9.8 CVE-2022-3398
CONFIRM online_diagnostic_lab_management_system_project — online_diagnostic_lab_management_system An arbitrary file upload vulnerability in the component /php_action/editFile.php of Online Diagnostic Lab Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. 2022-10-07 7.2 CVE-2022-41512
MISC online_diagnostic_lab_management_system_project — online_diagnostic_lab_management_system Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /diagnostic/edittest.php. 2022-10-07 7.2 CVE-2022-41513
MISC online_diagnostic_lab_management_system_project — online_diagnostic_lab_management_system Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editclient.php?id=. 2022-10-07 7.2 CVE-2022-42073
MISC online_diagnostic_lab_management_system_project — online_diagnostic_lab_management_system Online Diagnostic Lab Management System v1.0 is vulnerable to SQL Injection via /diagnostic/editcategory.php?id=. 2022-10-07 7.2 CVE-2022-42074
MISC online_leave_management_system_project — online_leave_management_system Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /leave_system/classes/Master.php?f=delete_department. 2022-10-06 7.2 CVE-2022-41355
MISC online_pet_shop_we_app_project — online_pet_shop_we_app Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=maintenance/manage_category. 2022-10-07 7.2 CVE-2022-41377
MISC online_pet_shop_we_app_project — online_pet_shop_we_app Online Pet Shop We App v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /pet_shop/admin/?page=inventory/manage_inventory. 2022-10-07 7.2 CVE-2022-41378
MISC open_source_sacco_management_system_project — open_source_sacco_management_system Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_loan. 2022-10-07 7.2 CVE-2022-41514
MISC open_source_sacco_management_system_project — open_source_sacco_management_system Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /sacco_shield/ajax.php?action=delete_payment. 2022-10-07 7.2 CVE-2022-41515
MISC orchest — orchest ### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.io 2022-09-30 8.1 CVE-2022-39268
MISC
MISC
MISC
CONFIRM phpipam — phpipam phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php. 2022-10-03 9.8 CVE-2022-41443
MISC pjsip — pjsip PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users are advised to upgrade. There are no known workarounds for this issue. 2022-10-06 9.8 CVE-2022-39244
MISC
CONFIRM pjsip — pjsip PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability. 2022-10-06 9.1 CVE-2022-39269
MISC
CONFIRM pyup — dependency_parser dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed. 2022-10-06 7.5 CVE-2022-39280
MISC
MISC
MISC
CONFIRM realvnc — vnc_server RealVNC VNC Server before 6.11.0 and VNC Viewer before 6.22.826 on Windows allow local privilege escalation via MSI installer Repair mode. 2022-09-30 7.8 CVE-2022-41975
MISC samsung — factorycamera Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege. 2022-10-07 7.8 CVE-2022-39858
MISC semtech — loramac-node LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function `ProcessRadioRxDone` implicitly expects incoming radio frames to have at least a payload of one byte or more. An empty payload leads to a 1-byte out-of-bounds read of user controlled content when the payload buffer is reused. This allows an attacker to craft a FRAME_TYPE_PROPRIETARY frame with size -1 which results in an 65280-byte out-of-bounds memcopy likely with partially controlled attacker data. Corrupting a large part if the data section is likely to cause a DoS. If the large out-of-bounds write does not immediately crash the attacker may gain control over the execution due to now controlling large parts of the data section. Users are advised to upgrade either by updating their package or by manually applying the patch commit `e851b079`. 2022-10-06 9.8 CVE-2022-39274
MISC
MISC
CONFIRM simple_cold_storage_management_system_project — simple_cold_storage_management_system Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/classes/Master.php?f=delete_message. 2022-10-06 7.2 CVE-2022-42241
MISC simple_cold_storage_management_system_project — simple_cold_storage_management_system Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/classes/Master.php?f=delete_booking. 2022-10-06 7.2 CVE-2022-42242
MISC simple_cold_storage_management_system_project — simple_cold_storage_management_system Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/manage_storage.php?id=. 2022-10-06 7.2 CVE-2022-42243
MISC simple_cold_storage_management_system_project — simple_cold_storage_management_system Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/view_storage.php?id=. 2022-10-06 7.2 CVE-2022-42249
MISC simple_cold_storage_management_system_project — simple_cold_storage_management_system Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/inquiries/view_details.php?id=. 2022-10-06 7.2 CVE-2022-42250
MISC simple_e-learning_system_project — simple_e-learning_system An SQL injection vulnerability issue was discovered in Sourcecodester Simple E-Learning System 1.0., in /vcs/classRoom.php?classCode=, classCode. 2022-10-07 9.8 CVE-2022-40872
MISC snyk — cli Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957. 2022-10-03 7.8 CVE-2022-40764
MISC
MISC
MISC
MISC solarwinds — orion_platform A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution. 2022-09-30 8.8 CVE-2022-36961
MISC
MISC sonicjs — sonicjs SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete. 2022-10-01 9.1 CVE-2022-42002
MISC
MISC swmansion — react_native_reanimated The package react-native-reanimated before 3.0.0-rc.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js. 2022-09-30 7.5 CVE-2022-24373
CONFIRM
CONFIRM
CONFIRM
CONFIRM sylabs — singularity_image_format syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure. 2022-10-06 9.8 CVE-2022-39237
CONFIRM
MISC tooljet — tooljet Account Takeover :: when see the info i can see the hash pass i can creaked it …………… Account Takeover :: when see the info i can see the forgot_password_token the hacker can send the request and changed the pass 2022-10-07 7.5 CVE-2022-3422
CONFIRM
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a SQL Injection attack affecting the NBFSMCLIENT service. 2022-10-03 9.8 CVE-2022-42302
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a second-order SQL Injection attack affecting the NBFSMCLIENT service by leveraging CVE-2022-42302. 2022-10-03 9.8 CVE-2022-42303
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0 and related Veritas products. The NetBackup Primary server is vulnerable to a SQL Injection attack affecting idm, nbars, and SLP manager code. 2022-10-03 9.8 CVE-2022-42304
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service. 2022-10-03 9.8 CVE-2022-42307
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) injection attack through the nbars process. 2022-10-03 8.8 CVE-2022-42301
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to a denial of service attack through the DiscoveryService service. 2022-10-03 7.5 CVE-2022-42299
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to a Path traversal attack through the DiscoveryService service. 2022-10-03 7.5 CVE-2022-42305
MISC veritas — netbackup An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx_exchange registration code. 2022-10-03 7.1 CVE-2022-42308
MISC vmware — rabbitmq RabbitMQ is a multi-protocol messaging and streaming broker. In affected versions the shovel and federation plugins perform URI obfuscation in their worker (link) state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data could appear in the node log. Patched versions correctly use a cluster-wide secret for that purpose. This issue has been addressed and Patched versions: `3.10.2`, `3.9.18`, `3.8.32` are available. Users unable to upgrade should disable the Shovel and Federation plugins. 2022-10-06 7.5 CVE-2022-31008
MISC
CONFIRM web-based_student_clearance_system_project — web-based_student_clearance_system A vulnerability was found in SourceCodester Web-Based Student Clearance System. It has been classified as critical. Affected is an unknown function of the file /Admin/login.php of the component POST Parameter Handler. The manipulation of the argument txtusername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-210246 is the identifier assigned to this vulnerability. 2022-10-07 9.8 CVE-2022-3414
N/A
N/A

Microsoft Power Platform and Dataverse: Skill up on security by design

by | Oct 10, 2022 | Technology

This article is contributed. See the original author and article here.

During Cybersecurity Awareness Month, it’s important to focus not only on the dangers of data breaches but also on how to build with products like Microsoft Power Platform and Dataverse—products that are designed to help keep your organization’s data protected. Use the resources on Microsoft Learn to explore ways to support security in your organization, whether you’re a traditional solution architect, a business user, or an IT pro. April Dunnam, Power Platform Cloud Advocate, notes that anyone building a low-code solution should have a security-first mindset. She explains, “Your solution will be better designed, and then it’s going to be long-standing.” 


 


Dataverse and Microsoft Power Platform—better together 


Dataverse is a critical and foundational component of Microsoft Power Platform. It’s what the platform runs on, and it’s secure by design. You can configure many layers of security in Dataverse. As April points out, “You can use the [Microsoft Power Platform] admin center to define different data loss prevention policies to determine which connectors you can and can’t use, all the way down to a really granular level.” She recommends checking out the new managed environments that apply to both Microsoft Power Platform and Dataverse, which make it easier to manage some of the out-of-the box security features. For every solution, you can configure additional security capabilities. For more information, go to the Microsoft Learn module Create and manage environments in Dataverse 


 


As part of your cybersecurity strategy, April also recommends setting up a Center of Excellence and using the toolkit, because, as she observes, “[It] augments the capabilities of Microsoft Power Platform and fosters an internal community who can think ahead and put together best practices to enable secure low-code solutions.” To learn more, explore the Microsoft Learn module Get started with Microsoft Power Platform Center of Excellence. 


 


April is all for using Microsoft Power Platform tools “right out of the box” for building security solutions. She observes, “These intuitive, user-friendly tools guide us through making sure that the applications and solutions we build are secure. So, with just a little bit of work and a little bit of reading some of the Microsoft Learn material to get a good understanding, you’re ready to come up to speed on making sure that the solutions that you build are secure.” For details, check out the Microsoft Learn module Introduction to Microsoft Power Platform security and governance. 


 


Use a collection to discover more security content 


April encourages the use of Microsoft Learn resources, saying, “Learning paths and modules are so helpful for getting a basic understanding of security to help you set your department up for success. Later, you can transition to more advanced content as you strategize for your organization in a role like solution architect.” April recommends the Cybersecurity Awareness – Microsoft Power Platform collection, which offers a basic understanding of Dataverse security capabilities. Plus, it explores fundamental Microsoft Power Platform security concepts. 


 


Earn a Microsoft Certification  


People who follow April know that she’s a passionate Microsoft Power Platform advocate with many certifications. She observes, “People are always asking me, ‘What should I do next on my path?’” April has a couple of recommendations for validating your skills by earning an industry-recognized Microsoft Certification. She says, “If you’re building some secure applications for your team, then look into earning a Microsoft Certified: Power Platform Functional Consultant Associate certification. [Pass Exam PL-200.] If you’re at a senior level, doing things like deploying scalable applications and managing security across the environment for an organization, then explore earning a Microsoft Certified: Power Platform Solution Architect Expert certification. [Pass Exam-PL-600 and a prerequisite.]” 


 


Keep learning with April Dunnam 


Now that you’ve gotten some key tips on how to handle security issues, it’s time to dive deep into Microsoft Power Platform and Dataverse on April Dunnam’s YouTube channel. Watch for her upcoming video “Why SharePoint Experts are using Dataverse”, and be sure to check out her show—The Low Code Revolution—to build apps efficiently and expand your skill set.