‼ CVE-2021-24780 ‼
📖 Read
via "National Vulnerability Database".
The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URL📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24818 ‼
📖 Read
via "National Vulnerability Database".
The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24705 ‼
📖 Read
via "National Vulnerability Database".
The NEX-Forms WordPress plugin through 7.9.4 does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42546 ‼
📖 Read
via "National Vulnerability Database".
Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24932 ‼
📖 Read
via "National Vulnerability Database".
The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24955 ‼
📖 Read
via "National Vulnerability Database".
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42547 ‼
📖 Read
via "National Vulnerability Database".
Insufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24817 ‼
📖 Read
via "National Vulnerability Database".
The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24857 ‼
📖 Read
via "National Vulnerability Database".
The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24836 ‼
📖 Read
via "National Vulnerability Database".
The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them📖 Read
via "National Vulnerability Database".
🗓️ Zero-day vulnerability in Hillrom cardiology devices could allow attackers full control 🗓️
📖 Read
via "The Daily Swig".
Security flaw will be addressed in the next release📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Zero-day vulnerability in Hillrom cardiology devices could allow attackers full control
Security flaw will be addressed in the next release
🕴 Why Cloud Service Providers Are a Single Point of Failure 🕴
📖 Read
via "Dark Reading".
In a matter of days, a large-scale outage of cloud and other online services could cause $15 billion in losses.📖 Read
via "Dark Reading".
Dark Reading
Why Cloud Service Providers Are a Single Point of Failure
In a matter of days, a large-scale outage of cloud and other online services could cause $15 billion in losses.
🕴 Why the Private Sector Is Key to Stopping Russian Hacking Group APT29 🕴
📖 Read
via "Dark Reading".
Left unchecked, these attacks could have devastating effects on government and military secrets and jeopardize the software supply chain and the global economy.📖 Read
via "Dark Reading".
Dark Reading
Why the Private Sector Is Key to Stopping Russian Hacking Group APT29
Left unchecked, these attacks could have devastating effects on government and military secrets and jeopardize the software supply chain and the global economy.
👍1
‼ CVE-2021-36169 ‼
📖 Read
via "National Vulnerability Database".
A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations.📖 Read
via "National Vulnerability Database".
🛠 Zed Attack Proxy 2.11.1 Cross Platform Package 🛠
📖 Read
via "Packet Storm Security".
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. This is the cross platform package.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Zed Attack Proxy 2.11.1 Cross Platform Package ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🕴 2 Website Threats to Address for the Holiday Shopping Rush 🕴
📖 Read
via "Dark Reading".
Some tips for effectively combating Web supply chain attacks and customer hijacking via browser extensions.📖 Read
via "Dark Reading".
Dark Reading
2 Website Threats to Address for the Holiday Shopping Rush
Some tips for effectively combating Web supply chain attacks and customer hijacking via browser extensions.
👍1
‼ CVE-2021-39944 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39933 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39938 ‼
📖 Read
via "National Vulnerability Database".
A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39919 ‼
📖 Read
via "National Vulnerability Database".
In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40007 ‼
📖 Read
via "National Vulnerability Database".
There is an information leak vulnerability in eCNS280_TD V100R005C10SPC650. The vulnerability is caused by improper log output management. An attacker with the ability to access the log file of device may lead to information disclosure.📖 Read
via "National Vulnerability Database".