βΌ CVE-2021-24678 βΌ
π Read
via "National Vulnerability Database".
The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2021-41878 βΌ
π Read
via "National Vulnerability Database".
A reflected cross-site scripting (XSS) vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24676 βΌ
π Read
via "National Vulnerability Database".
The Better Find and Replace WordPress plugin before 1.2.9 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24465 βΌ
π Read
via "National Vulnerability Database".
The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24679 βΌ
π Read
via "National Vulnerability Database".
The Bitcoin / AltCoin Payment Gateway for WooCommerce WordPress plugin before 1.6.1 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-41511 βΌ
π Read
via "National Vulnerability Database".
The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24673 βΌ
π Read
via "National Vulnerability Database".
The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
ποΈ Cryptocurrency funds removed from 6,000 Coinbase accounts due to flaw in SMS authentication ποΈ
π Read
via "The Daily Swig".
Victims are told they will be reimbursedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Cryptocurrency funds removed from 6,000 Coinbase accounts due to flaw in SMS authentication
Victims are told they will be reimbursed
β Transnational Fraud Ring Bilks U.S. Military Service Members Out of Millions β
π Read
via "Threat Post".
A former medical records tech stole PII that was then used to fraudulently claim DoD and VA benefits, particularly targeting disabled veterans.π Read
via "Threat Post".
Threat Post
Transnational Fraud Ring Bilks U.S. Military Service Members Out of Millions
A former medical records tech stole PII that was then used to fraudulently claim DoD and VA benefits.
βΌ CVE-2021-37331 βΌ
π Read
via "National Vulnerability Database".
Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41868 βΌ
π Read
via "National Vulnerability Database".
OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on a non-public node when using the --receive functionality.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37330 βΌ
π Read
via "National Vulnerability Database".
Laravel Booking System Booking Core 2.0 is vulnerable to Cross Site Scripting (XSS). The Avatar upload in the My Profile section could be exploited to upload a malicious SVG file which contains Javascript. Now if another user/admin views the profile and clicks to view his avatar, an XSS will trigger.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37777 βΌ
π Read
via "National Vulnerability Database".
Gila CMS 2.2.0 is vulnerable to Insecure Direct Object Reference (IDOR). Thumbnails uploaded by one site owner are visible by another site owner just by knowing the other site name and fuzzing for picture names. This leads to sensitive information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39486 βΌ
π Read
via "National Vulnerability Database".
A Stored XSS via Malicious File Upload exists in Gila CMS version 2.2.0. An attacker can use this to steal cookies, passwords or to run arbitrary code on a victim's browser.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37333 βΌ
π Read
via "National Vulnerability Database".
Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41867 βΌ
π Read
via "National Vulnerability Database".
An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25964 βΌ
π Read
via "National Vulnerability Database".
In Γ’β¬ΕCalibre-webΓ’β¬οΏ½ application, v0.6.0 to v0.6.12, are vulnerable to Stored XSS in Γ’β¬ΕMetadataΓ’β¬οΏ½. An attacker that has access to edit the metadata information, can inject JavaScript payload in the description field. When a victim tries to open the file, XSS will be triggered.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38822 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38823 βΌ
π Read
via "National Vulnerability Database".
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36051 βΌ
π Read
via "National Vulnerability Database".
XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow vulnerability potentially resulting in arbitrary code execution in the context of the current user. Exploitation requires user interaction in that a victim must open a specially-crafted .cpp file.π Read
via "National Vulnerability Database".
ποΈ Let's Encrypt root cert update catches out many big-name tech firms ποΈ
π Read
via "The Daily Swig".
Back on the chain gangπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Letβs Encrypt root cert update catches out many big-name tech firms
Back on the chain gang