❌ WooCommerce Pricing Plugin Allows Malicious Code-Injection ❌
📖 Read
via "Threat Post".
The popular Dynamic Pricing and Discounts plugin from Envato can be exploited by unauthenticated attackers.📖 Read
via "Threat Post".
Threat Post
WooCommerce Pricing Plugin Allows Malicious Code-Injection
The popular Dynamic Pricing and Discounts plugin from Envato can be exploited by unauthenticated attackers.
‼ CVE-2020-19047 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgey (CSRF) in iWebShop v5.3 allows remote atatckers to execute arbitrary code via malicious POST request to the component '/index.php?controller=system&action=admin_edit_act'.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21681 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19049 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21677 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21678 ‼
📖 Read
via "National Vulnerability Database".
Jenkins SAML Plugin 2.0.7 and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21680 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19046 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in S-CMS v1.0 allows remote attackers to execute arbitrary code via the component '/admin/tpl.php?page='.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19048 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21679 ‼
📖 Read
via "National Vulnerability Database".
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.📖 Read
via "National Vulnerability Database".
🛠 Dr Checker 4 Linux 🛠
📖 Read
via "Packet Storm Security".
This is an LLVM based tool to audit Linux kernel module security using both pointer and taint analyses that are flow-sensitive, context-sensitive, and fieldsensitive on kernel drivers. It is port of Dr. Checker.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Dr Checker 4 Linux ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 Hashcat Advanced Password Recovery 6.2.4 Source Code 🛠
📖 Read
via "Packet Storm Security".
Hashcat is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. This is the source code release.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Hashcat Advanced Password Recovery 6.2.4 Source Code ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 Flawfinder 2.0.19 🛠
📖 Read
via "Packet Storm Security".
Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Flawfinder 2.0.19 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 Hashcat Advanced Password Recovery 6.2.4 Binary Release 🛠
📖 Read
via "Packet Storm Security".
Hashcat is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. This is the binary release.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Hashcat Advanced Password Recovery 6.2.4 Binary Release ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 GNU Privacy Guard 2.2.30 🛠
📖 Read
via "Packet Storm Security".
GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions. This is the LTS release.📖 Read
via "Packet Storm Security".
Packetstormsecurity
GNU Privacy Guard 2.2.30 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🦿 Data privacy, governance and insights are all important obligations for businesses 🦿
📖 Read
via "Tech Republic".
Expert: Information management can also lead to a massive value proposition in being able to tap into governed data for business insights.📖 Read
via "Tech Republic".
TechRepublic
Data privacy, governance and insights are all important obligations for businesses
Expert: Information management can also lead to a massive value proposition in being able to tap into governed data for business insights.
🦿 Data compliance: "The world is still waking up to the challenges ahead," expert says 🦿
📖 Read
via "Tech Republic".
Bringing together siloed data from all parts of the business is a huge challenge to IT departments when meeting compliance requirements.📖 Read
via "Tech Republic".
TechRepublic
Data compliance: "The world is still waking up to the challenges ahead," expert says
Bringing together siloed data from all parts of the business is a huge challenge to IT departments when meeting compliance requirements.
⚠ Big bad decryption bug in OpenSSL – but no cause for alarm ⚠
📖 Read
via "Naked Security".
The buggy code's in there, alright. Fortunately, it's hard to get OpenSSL to use it even if you want to, which mitigates the risk.📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
⚠ Skimming the CREAM – recursive withdrawals loot $13M in cryptocash ⚠
📖 Read
via "Naked Security".
Recursion [noun]: see recursion.📖 Read
via "Naked Security".
Naked Security
Skimming the CREAM – recursive withdrawals loot $13M in cryptocash
Recursion [noun]: see recursion.
‼ CVE-2021-22943 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability found in UniFi Protect application V1.18.1 and earlier permits a malicious actor who has already gained access to a network to subsequently control the Protect camera(s) assigned to said network. This vulnerability is fixed in UniFi Protect application V1.19.0 and later.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39163 ‼
📖 Read
via "National Vulnerability Database".
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulnerability is limited to homeservers where the vulnerable homeserver is in the room and untrusted users are permitted to create groups (communities). By default, only homeserver administrators can create groups. However, homeserver administrators can already access this information in the database or using the admin API. As a result, only homeservers where the configuration setting `enable_group_creation` has been set to `true` are impacted. Server administrators should upgrade to 1.41.1 or higher to patch the vulnerability. There are two potential workarounds. Server administrators can set `enable_group_creation` to `false` in their homeserver configuration (this is the default value) to prevent creation of groups by non-administrators. Administrators that are using a reverse proxy could, with partial loss of group functionality, block the endpoints `/_matrix/client/r0/groups/{group_id}/rooms` and `/_matrix/client/unstable/groups/{group_id}/rooms`.📖 Read
via "National Vulnerability Database".