โผ CVE-2021-24702 โผ
๐ Read
via "National Vulnerability Database".
The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed๐ Read
via "National Vulnerability Database".
โผ CVE-2021-41990 โผ
๐ Read
via "National Vulnerability Database".
The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-42575 โผ
๐ Read
via "National Vulnerability Database".
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24754 โผ
๐ Read
via "National Vulnerability Database".
The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24612 โผ
๐ Read
via "National Vulnerability Database".
The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24760 โผ
๐ Read
via "National Vulnerability Database".
The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-41991 โผ
๐ Read
via "National Vulnerability Database".
The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24734 โผ
๐ Read
via "National Vulnerability Database".
The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-42576 โผ
๐ Read
via "National Vulnerability Database".
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-3755 โผ
๐ Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24736 โผ
๐ Read
via "National Vulnerability Database".
The Easy Download Manager and File Sharing Plugin with frontend file upload รยขรขโยฌรขโฌล a better Media Library รยขรขโยฌรขโฌ๏ฟฝ Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24675 โผ
๐ Read
via "National Vulnerability Database".
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24413 โผ
๐ Read
via "National Vulnerability Database".
The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24677 โผ
๐ Read
via "National Vulnerability Database".
The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24735 โผ
๐ Read
via "National Vulnerability Database".
The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24516 โผ
๐ Read
via "National Vulnerability Database".
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24622 โผ
๐ Read
via "National Vulnerability Database".
The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-41971 โผ
๐ Read
via "National Vulnerability Database".
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.๐ Read
via "National Vulnerability Database".
๐ข US links $5.2 billion in Bitcoin transactions to ransomware ๐ข
๐ Read
via "ITPro".
A new report from the Treasury ties the cryptocurrency to ransomware payments over a ten year period๐ Read
via "ITPro".
IT PRO
US links $5.2 billion in Bitcoin transactions to ransomware | IT PRO
A new report from the Treasury ties the cryptocurrency to ransomware payments over a ten year period
๐ข Acer Taiwan falls victim to cyber attack ๐ข
๐ Read
via "ITPro".
Hackers obtained employee data three days after they breached Acer India servers๐ Read
via "ITPro".
IT PRO
Acer Taiwan falls victim to cyber attack | IT PRO
Hackers obtained employee data three days after they breached Acer India servers
๐ข The rise of cloud misconfiguration threats and how to avoid them ๐ข
๐ Read
via "ITPro".
Businesses must adopt new tools and practices to combat one of the leading causes of security breaches๐ Read
via "ITPro".
IT PRO
The rise of cloud misconfiguration threats and how to avoid them | IT PRO
Businesses must adopt new tools and practices to combat one of the leading causes of security breaches