βΌ CVE-2021-28419 βΌ
π Read
via "National Vulnerability Database".
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23359 βΌ
π Read
via "National Vulnerability Database".
This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command touch success to be executed, leading to the creation of a file called success.π Read
via "National Vulnerability Database".
βΌ CVE-2021-28418 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-28420 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.π Read
via "National Vulnerability Database".
π Digital Guardian Gives Customers Control Over Collaboration Software π
π Read
via "Digital Guardian".
Four new policy packs can help customers better control file movement across popular collaboration software like Microsoft Teams, Slack, Zoom, and Skype.π Read
via "Digital Guardian".
Digital Guardian
Digital Guardian Gives Customers Control Over Collaboration Software
Four new policy packs can help customers better control file movement across popular collaboration software like Microsoft Teams, Slack, Zoom, and Skype.
β Security Researcher Hides ZIP, MP3 Files Inside PNG Files on Twitter β
π Read
via "Threat Post".
The newly discovered steganography method could be exploited by threat actors to obscure nefarious activity inside photos hosted on the social-media platform.π Read
via "Threat Post".
Threat Post
Security Researcher Hides ZIP, MP3 Files Inside PNG Files on Twitter
The newly discovered steganography method could be exploited by threat actors to obscure nefarious activity inside photos hosted on the social-media platform.
β Zoom Screen-Sharing Glitch βBrieflyβ Leaks Sensitive Data β
π Read
via "Threat Post".
A glitch in Zoom's screen-sharing feature shows parts of presenters' screens that they did not intend to share - potentially leaking emails or passwords.π Read
via "Threat Post".
Threat Post
Zoom Screen-Sharing Glitch βBrieflyβ Leaks Sensitive Data
A glitch in Zoom's screen-sharing feature shows parts of presenters' screens that they did not intend to share - potentially leaking emails or passwords.
βΌ CVE-2021-24142 βΌ
π Read
via "National Vulnerability Database".
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24140 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24137 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24124 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21625 βΌ
π Read
via "National Vulnerability Database".
Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24129 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24134 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24136 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URLπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24139 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24128 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24130 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+).π Read
via "National Vulnerability Database".
βΌ CVE-2021-24149 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24127 βΌ
π Read
via "National Vulnerability Database".
Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26237 βΌ
π Read
via "National Vulnerability Database".
FastStone Image Viewer <= 7.5 is affected by a user mode write access violation at 0x00402d7d, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Attackers could exploit this issue for a Denial of Service (DoS) or possibly to achieve code execution.π Read
via "National Vulnerability Database".