βΌ CVE-2021-40719 βΌ
π Read
via "National Vulnerability Database".
Adobe Connect version 11.2.2 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe Connect server. An attacker can leverage this to execute remote code execution on the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39321 βΌ
π Read
via "National Vulnerability Database".
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39357 βΌ
π Read
via "National Vulnerability Database".
The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41168 βΌ
π Read
via "National Vulnerability Database".
Snudown is a reddit-specific fork of the Sundown Markdown parser used by GitHub, with Python integration added. In affected versions snudown was found to be vulnerable to denial of service attacks to its reference table implementation. References written in markdown ` [reference_name]: https://www.example.com` are inserted into a hash table which was found to have a weak hash function, meaning that an attacker can reliably generate a large number of collisions for it. This makes the hash table vulnerable to a hash-collision DoS attack, a type of algorithmic complexity attack. Further the hash table allowed for duplicate entries resulting in long retrieval times. Proofs of concept and further discussion of the hash collision issue are discussed on the snudown GHSA(https://github.com/reddit/snudown/security/advisories/GHSA-6gvv-9q92-w5f6). Users are advised to update to version 1.7.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39356 βΌ
π Read
via "National Vulnerability Database".
The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo'd out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36869 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39328 βΌ
π Read
via "National Vulnerability Database".
The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22034 βΌ
π Read
via "National Vulnerability Database".
Releases prior to VMware vRealize Operations Tenant App 8.6 contain an Information Disclosure Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39354 βΌ
π Read
via "National Vulnerability Database".
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41169 βΌ
π Read
via "National Vulnerability Database".
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41127 βΌ
π Read
via "National Vulnerability Database".
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39348 βΌ
π Read
via "National Vulnerability Database".
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39352 βΌ
π Read
via "National Vulnerability Database".
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27746 βΌ
π Read
via "National Vulnerability Database".
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"π Read
via "National Vulnerability Database".
ποΈ EU ban on anonymous domain registration welcomed by threat intel firm ποΈ
π Read
via "The Daily Swig".
βThis raises the bar and makes it expensive for easy cyber criminality,β argues DomainToolsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
EU ban on anonymous domain registration welcomed by threat intel firm
βThis raises the bar and makes it expensive for easy cyber criminality,β argues DomainTools
ποΈ Japanese punctuation exacerbates privacy flaw that leaks one-word search terms in Google, Firefox browsers ποΈ
π Read
via "The Daily Swig".
Researcher questions efficacy of proposed remedies as debate rumbles on 18 months after disclosureπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Japanese punctuation exacerbates privacy flaw that leaks one-word search terms in Google, Firefox browsers
Researcher questions efficacy of proposed remedies as debate rumbles on 18 months after disclosure
β Threat Actors Abuse Discord to Push Malware β
π Read
via "Threat Post".
The platformβs Content Delivery Network and core features are being used to send malicious filesβincluding RATs--across its network of 150 million users, putting corporate workplaces at risk.π Read
via "Threat Post".
Threat Post
Threat Actors Abuse Discord to Push Malware
The platformβs Content Delivery Network and core features are being used to send malicious filesβincluding RATsβacross its network of 150 million users, putting corporate workplaces at risk.
βΌ CVE-2021-31835 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via a specific parameter where the administrator's entries were not correctly sanitized.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31834 βΌ
π Read
via "National Vulnerability Database".
Stored Cross-Site Scripting vulnerability in McAfee ePolicy Orchestrator (ePO) prior to 5.10 Update 11 allows ePO administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized.π Read
via "National Vulnerability Database".
π¦Ώ What to do if your small business is a victim of a cyberattack π¦Ώ
π Read
via "Tech Republic".
Immersed in the throes of a cyberattack is not the time to figure out how to respond. An expert offers suggestions on how to create a company-specific incident-response plan.π Read
via "Tech Republic".
TechRepublic
What to do if your small business is a victim of a cyberattack
Immersed in the throes of a cyberattack is not the time to figure out how to respond. An expert offers suggestions on how to create a company-specific incident-response plan.
ποΈ Swiss exhibitions organizer MCH Group hit by cyber-attack ποΈ
π Read
via "The Daily Swig".
Investigations yet to confirm if any data was exfiltratedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Swiss exhibitions organizer MCH Group hit by cyber-attack
Investigations yet to confirm if any data was exfiltrated