βΌ CVE-2021-45450 βΌ
π Read
via "National Vulnerability Database".
In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_generate_iv and psa_cipher_encrypt allow policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24956 βΌ
π Read
via "National Vulnerability Database".
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24738 βΌ
π Read
via "National Vulnerability Database".
The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24907 βΌ
π Read
via "National Vulnerability Database".
The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24941 βΌ
π Read
via "National Vulnerability Database".
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-45451 βΌ
π Read
via "National Vulnerability Database".
In Mbed TLS before 3.1.0, psa_aead_generate_nonce allows policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24750 βΌ
π Read
via "National Vulnerability Database".
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24578 βΌ
π Read
via "National Vulnerability Database".
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24739 βΌ
π Read
via "National Vulnerability Database".
The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication featureπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24849 βΌ
π Read
via "National Vulnerability Database".
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injectionsπ Read
via "National Vulnerability Database".
π΄ How is Zero Trust Evolving to be More Continuous in Verifying Trust? π΄
π Read
via "Dark Reading".
For zero trust to be successful, organizations need to be able to check user identity, device posture, and overall behavior without adding friction to the experience.π Read
via "Dark Reading".
Dark Reading
How Is Zero Trust Evolving to Be More Continuous in Verifying Trust?
For zero trust to be successful, organizations need to be able to check user identity, device posture, and overall behavior without adding friction to the experience.
βΌ CVE-2021-45255 βΌ
π Read
via "National Vulnerability Database".
The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45253 βΌ
π Read
via "National Vulnerability Database".
The id parameter in view_storage.php from Simple Cold Storage Management System 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45252 βΌ
π Read
via "National Vulnerability Database".
Multiple SQL injection vulnerabilities are found on Simple Forum-Discussion System 1.0 For example on three applications which are manage_topic.php, manage_user.php, and ajax.php. The attacker can be retrieving all information from the database of this system by using this vulnerability.π Read
via "National Vulnerability Database".
ποΈ Ubisoft confirms Just Dance video game data breach ποΈ
π Read
via "The Daily Swig".
Developer said no accounts had been improperly accessedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Ubisoft confirms Just Dance video game data breach
Developer said no accounts had been improperly accessed
π¦Ώ F-Secure uses flaw in at-home COVID-19 test to fake results π¦Ώ
π Read
via "Tech Republic".
Security researchers used a Bluetooth vulnerability to change negative results to positive.π Read
via "Tech Republic".
TechRepublic
F-Secure uses flaw in at-home COVID-19 test to fake results
Security researchers used a Bluetooth vulnerability to change negative results to positive.
β FBI: Another Zoho ManageEngine Zero-Day Under Active Attack β
π Read
via "Threat Post".
APT attackers are using a security vulnerability in ManageEngine Desktop Central to take over servers, deliver malware and establish network persistence.π Read
via "Threat Post".
Threat Post
FBI: Another Zoho ManageEngine Zero-Day Under Active Attack
APT attackers are using a security vulnerability in ManageEngine Desktop Central to take over servers, deliver malware and establish network persistence.
βΌ CVE-2021-4139 βΌ
π Read
via "National Vulnerability Database".
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
π΄ The Future of Ransomware π΄
π Read
via "Dark Reading".
Focusing on basic security controls and executing them well is the best way to harden your systems against an attack.π Read
via "Dark Reading".
Dark Reading
The Future of Ransomware
Focusing on basic security controls and executing them well is the best way to harden your systems against an attack.
ποΈ Browser security: Google fixes Chrome Site Isolation bypass bug ποΈ
π Read
via "The Daily Swig".
Vulnerability in Chromeβs service worker feature created chink in browserβs armorπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Browser security: Google fixes Chrome Site Isolation bypass bug
Vulnerability in Chromeβs service worker feature created chink in browserβs armor
π΄ A Year in Microsoft Bugs: The Most Critical, Overlooked & Hard to Patch π΄
π Read
via "Dark Reading".
Severe flaws in Microsoft Exchange and Windows Print Spooler stood out amid a wide range of vulnerabilities security teams were forced to prioritize in 2021.π Read
via "Dark Reading".
Dark Reading
A Year in Microsoft Bugs: The Most Critical, Overlooked & Hard to Patch
Severe flaws in Microsoft Exchange and Windows Print Spooler stood out amid a wide range of vulnerabilities security teams were forced to prioritize in 2021.