βΌ CVE-2021-38751 βΌ
π Read
via "National Vulnerability Database".
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38758 βΌ
π Read
via "National Vulnerability Database".
Directory traversal in Online Catering Reservation System due to lack of validation in index.php.π Read
via "National Vulnerability Database".
β Copyright scammers turn to phone numbers instead of web links β
π Read
via "Naked Security".
Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers.π Read
via "Naked Security".
Naked Security
Copyright scammers turn to phone numbers instead of web links
Forewarned is forearmed. Hereβs our advice on dealing with βcopyright infringementβ scammers.
β S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now! (And learn about the Navajo Nation's selfless cryptographic contribution to America.)π Read
via "Naked Security".
Naked Security
S3 Ep45: Routers attacked, hacking tool hacked, and betrayers betrayed [Podcast]
Latest episode β listen now! (And learn about the Navajo Nationβs selfless cryptographic contribution to America.)
π¦Ώ Windows 10: How to activate Microsoft Defender Application Guard π¦Ώ
π Read
via "Tech Republic".
Microsoft Defender Application Guard protects your networks and data from malicious applications running in your web browser. Learn how to install and activate this Windows 10 security feature.π Read
via "Tech Republic".
TechRepublic
Windows 10: How to activate Microsoft Defender Application Guard
Microsoft Defender Application Guard protects your networks and data from malicious applications running in your web browser. Learn how to install and activate this Windows 10 security feature.
β XSS Bug in SEOPress WordPress Plugin Allows Site Takeover β
π Read
via "Threat Post".
The bug would allow a number of malicious actions, up to and including full site takeover. The vulnerable plugin is installed on 100,000 websites.π Read
via "Threat Post".
Threat Post
XSS Bug in SEOPress WordPress Plugin Allows Site Takeover
The bug would allow a number of malicious actions, up to and including full site takeover. The vulnerable plugin is installed on 100,000 websites.
π Yearlong Office 365 Phishing Campaign Skilled at Evasion π
π Read
via "".
A new phishing campaign targeting Office 365 has used Morse code and other forms of obfuscation to side step detection for the last year.π Read
via "".
βΌ CVE-2021-34649 βΌ
π Read
via "National Vulnerability Database".
The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34644 βΌ
π Read
via "National Vulnerability Database".
The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34664 βΌ
π Read
via "National Vulnerability Database".
The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22937 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22934 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18699 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22940 βΌ
π Read
via "National Vulnerability Database".
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22936 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22939 βΌ
π Read
via "National Vulnerability Database".
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18698 βΌ
π Read
via "National Vulnerability Database".
Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22932 βΌ
π Read
via "National Vulnerability Database".
An issue has been identified in the CTX269106 mitigation tool for Citrix ShareFile storage zones controller which causes the ShareFile file encryption option to become disabled if it had previously been enabled. Customers are only affected by this issue if they previously selected Γ’β¬ΕEnable EncryptionΓ’β¬οΏ½ in the ShareFile configuration page and did not re-select this setting after running the CTX269106 mitigation tool. ShareFile customers who have not run the CTX269106 mitigation tool or who re-selected Γ’β¬ΕEnable EncryptionΓ’β¬οΏ½ immediately after running the tool are unaffected by this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34641 βΌ
π Read
via "National Vulnerability Database".
The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37707 βΌ
π Read
via "National Vulnerability Database".
### Impact Manipulation of product reviews via API ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659π Read
via "National Vulnerability Database".
βΌ CVE-2020-18701 βΌ
π Read
via "National Vulnerability Database".
Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets.π Read
via "National Vulnerability Database".