βΌ CVE-2021-25043 βΌ
π Read
via "National Vulnerability Database".
The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-22121 βΌ
π Read
via "National Vulnerability Database".
In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0157 βΌ
π Read
via "National Vulnerability Database".
phoronix-test-suite is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-24862 βΌ
π Read
via "National Vulnerability Database".
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-22114 βΌ
π Read
via "National Vulnerability Database".
In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The Γ’β¬Εsearch term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victimΓ’β¬β’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24949 βΌ
π Read
via "National Vulnerability Database".
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2021-23218 βΌ
π Read
via "National Vulnerability Database".
When running with FIPS mode enabled, Mirantis Container Runtime 20.10.8 leaks memory during TLS Handshakes which could be abused to cause a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25051 βΌ
π Read
via "National Vulnerability Database".
The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.π Read
via "National Vulnerability Database".
π¦Ώ Weekly cyberattacks jumped by 50% in 2021, with a peak in December due largely to the Log4J exploit π¦Ώ
π Read
via "Tech Republic".
Check Point Research said Africa had the highest amount with an average of 1,582 per week per organization. Here's how to combat the latest surge in attacks.π Read
via "Tech Republic".
TechRepublic
Weekly cyberattacks jumped by 50% in 2021, with a peak in December due largely to the Log4J exploit
Check Point Research said Africa had the highest amount with an average of 1,582 per week per organization. Here's how to combat the latest surge in attacks.
π Haveged 1.9.17 π
π Read
via "Packet Storm Security".
haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.π Read
via "Packet Storm Security".
Packetstormsecurity
Haveged 1.9.17 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β URL Parsing Bugs Allow DoS, RCE, Spoofing & More β
π Read
via "Threat Post".
Dangerous security bugs stemming from widespread inconsistencies among 16 popular third-party URL-parsing libraries could affect a wide swath of web applications.π Read
via "Threat Post".
Threat Post
URL Parsing Bugs Allow DoS, RCE, Spoofing & More
Dangerous security bugs stemming from widespread inconsistencies among 16 popular third-party URL-parsing libraries could affect a wide swath of web applications.
βΌ CVE-2020-28679 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0174 βΌ
π Read
via "National Vulnerability Database".
dolibarr is vulnerable to Business Logic Errorsπ Read
via "National Vulnerability Database".
π NCSC Outlines Tips to MItigate Commercial Surveillance π
π Read
via "".
The National Counterintelligence and Security Center (NCSC) on Friday warned about the risks posed by commercial spyware to smartphones.π Read
via "".
Digital Guardian
NCSC Outlines Tips to MItigate Commercial Surveillance
The National Counterintelligence and Security Center (NCSC) on Friday warned about the risks posed by commercial spyware to smartphones.
π΄ FBI Warns FIN7 Campaign Delivers Ransomware via BadUSB π΄
π Read
via "Dark Reading".
An FBI warning says the FIN7 cybercrime group has sent packages containing malicious USB drives to US companies in an effort to spread ransomware.π Read
via "Dark Reading".
Dark Reading
FBI Warns FIN7 Campaign Delivers Ransomware via BadUSB
An FBI warning says the FIN7 cybercrime group has sent packages containing malicious USB drives to US companies in an effort to spread ransomware.
βΌ CVE-2022-21666 βΌ
π Read
via "National Vulnerability Database".
Useful Simple Open-Source CMS (USOC) is a content management system (CMS) for programmers. Versions prior to Pb2.4Bfx3 allowed Sql injection in usersearch.php only for users with administrative privileges. Users should replace the file `admin/pages/useredit.php` with a newer version. USOC version Pb2.4Bfx3 contains a fixed version of `admin/pages/useredit.php`.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29454 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21408 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0155 βΌ
π Read
via "National Vulnerability Database".
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actorπ Read
via "National Vulnerability Database".
βΌ CVE-2020-25427 βΌ
π Read
via "National Vulnerability Database".
A Null pointer dereference vulnerability exits in MP4Box - GPAC version 0.8.0-rev177-g51a8ef874-master via the gf_isom_get_track_id function, which causes a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21668 βΌ
π Read
via "National Vulnerability Database".
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.π Read
via "National Vulnerability Database".