โผ CVE-2021-40889 โผ
๐ Read
via "National Vulnerability Database".
CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully changed their password. The attacker can inject malicious PHP code into password.php and then use the login function to execute code.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-40884 โผ
๐ Read
via "National Vulnerability Database".
Projectsend version r1295 is affected by sensitive information disclosure. Because of not checking authorization in ids parameter in files-edit.php and id parameter in process.php function, a user with uploader role can download and edit all files of users in application.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24737 โผ
๐ Read
via "National Vulnerability Database".
The Comments รยขรขโยฌรขโฌล wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24651 โผ
๐ Read
via "National Vulnerability Database".
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24545 โผ
๐ Read
via "National Vulnerability Database".
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24577 โผ
๐ Read
via "National Vulnerability Database".
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24546 โผ
๐ Read
via "National Vulnerability Database".
The Gutenberg Block Editor Toolkit รยขรขโยฌรขโฌล EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24690 โผ
๐ Read
via "National Vulnerability Database".
The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24683 โผ
๐ Read
via "National Vulnerability Database".
The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24691 โผ
๐ Read
via "National Vulnerability Database".
The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed๐ Read
via "National Vulnerability Database".
โผ CVE-2021-40886 โผ
๐ Read
via "National Vulnerability Database".
Projectsend version r1295 is affected by a directory traversal vulnerability. A user with Uploader role can add value `2` for `chunks` parameter to bypass `fileName` sanitization.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24712 โผ
๐ Read
via "National Vulnerability Database".
The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24720 โผ
๐ Read
via "National Vulnerability Database".
The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS).๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24709 โผ
๐ Read
via "National Vulnerability Database".
The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues๐ Read
via "National Vulnerability Database".
โผ CVE-2021-40888 โผ
๐ Read
via "National Vulnerability Database".
Projectsend version r1295 is affected by Cross Site Scripting (XSS) due to lack of sanitization when echo output data in returnFilesIds() function. A low privilege user can call this function through process.php file and execute scripting code.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-40887 โผ
๐ Read
via "National Vulnerability Database".
Projectsend version r1295 is affected by a directory traversal vulnerability. Because of lacking sanitization input for files[] parameter, an attacker can add ../ to move all PHP files or any file on the system that has permissions to /upload/files/ folder.๐ Read
via "National Vulnerability Database".
๐๏ธ Oregon Eye Specialists discloses data breach following employee email compromise ๐๏ธ
๐ Read
via "The Daily Swig".
Attackers had access to mailboxes over a two-month period๐ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Oregon Eye Specialists discloses data breach following employee email compromise
Attackers had access to mailboxes over a two-month period
๐ด Continuous Authentication Tech Looms Large in Deployment Plans ๐ด
๐ Read
via "Dark Reading".
Data from the Dark Reading and Omdia Enterprise Security in a Post Pandemic World report shows security leaders are interested in continuous authentication technologies, especially behavioral-based capabilities.๐ Read
via "Dark Reading".
Dark Reading
Continuous Authentication Tech Looms Large in Deployment Plans
Security leaders are interested in continuous authentication technologies, especially behavioral-based capabilities.
๐ด Applying Behavioral Psychology to Strengthen Your Incident Response Team ๐ด
๐ Read
via "Dark Reading".
A deep-dive study on the inner workings of incident response teams leads to a framework to apply behavioral psychology principles to CSIRTs.๐ Read
via "Dark Reading".
Dark Reading
Applying Behavioral Psychology to Strengthen Your Incident Response Team
A deep-dive study on the inner workings of incident response teams leads to a framework to apply behavioral psychology principles to CSIRTs.
โ Apache patch proves patchy โ now you need to patch the patch โ
๐ Read
via "Naked Security".
Once more unto the breach, dear friends, once more, and close up the hole of encoding dread.๐ Read
via "Naked Security".
Naked Security
Apache patch proves patchy โ now you need to patch the patch
Once more unto the breach, dear friends, once more, and close up the hole of encoding dread.
๐ด The 5 Phases of Zero Trust Adoption ๐ด
๐ Read
via "Dark Reading".
Zero trust aims to replace implicit trust with explicit, continuously adaptive trust across users, devices, networks, applications, and data.๐ Read
via "Dark Reading".
Dark Reading
The 5 Phases of Zero-Trust Adoption
Zero trust aims to replace implicit trust with explicit, continuously adaptive trust across users, devices, networks, applications, and data.