βΌ CVE-2021-25015 βΌ
π Read
via "National Vulnerability Database".
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25013 βΌ
π Read
via "National Vulnerability Database".
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary postsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25080 βΌ
π Read
via "National Vulnerability Database".
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entryπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24968 βΌ
π Read
via "National Vulnerability Database".
The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questionsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24985 βΌ
π Read
via "National Vulnerability Database".
The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issuesπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25074 βΌ
π Read
via "National Vulnerability Database".
The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24974 βΌ
π Read
via "National Vulnerability Database".
The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24865 βΌ
π Read
via "National Vulnerability Database".
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25062 βΌ
π Read
via "National Vulnerability Database".
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24965 βΌ
π Read
via "National Vulnerability Database".
The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in adminsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24733 βΌ
π Read
via "National Vulnerability Database".
The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25031 βΌ
π Read
via "National Vulnerability Database".
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
ποΈ Chain of vulnerabilities led to RCE on Cisco Prime servers ποΈ
π Read
via "The Daily Swig".
Full chain exploit ready for Prime timeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Chain of vulnerabilities led to RCE on Cisco Prime servers
Full chain exploit ready for Prime time
β Alleged carder gang mastermind and three acolytes under arrest in Russia β
π Read
via "Naked Security".
The motto of the gang was "In Fraud We Trust", and they went by a dizzying range of online nicknames.π Read
via "Naked Security".
Naked Security
Alleged carder gang mastermind and three acolytes under arrest in Russia
The motto of the gang was βIn Fraud We Trustβ, and they went by a dizzying range of online nicknames.
ποΈ OpenSubtitles data breach: Users asked to re-secure accounts after plaintext password snafu ποΈ
π Read
via "The Daily Swig".
Movie translation site asked victims to reset passwordsβ¦ then sent them in clear textπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
OpenSubtitles data breach: Users asked to re-secure accounts after plaintext password snafu
Movie translation site asked victims to reset passwords⦠then sent them in clear text
π Logwatch 7.6 π
π Read
via "Packet Storm Security".
Logwatch analyzes and reports on unix system logs. It is a customizable and pluggable log monitoring system which will go through the logs for a given period of time and make a customizable report. It should work right out of the package on most systems.π Read
via "Packet Storm Security".
Packetstormsecurity
Logwatch 7.6 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2021-44981 βΌ
π Read
via "National Vulnerability Database".
In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, which allows for privilege escalation by means of RCE.π Read
via "National Vulnerability Database".
π΄ A Level-Set on Russia-Borne Cyber Threats π΄
π Read
via "Dark Reading".
As hostilities mount between Russia and Ukraine, new and more dangerous cyberattacks are likely to develop. Pinpointing sources and motives will remain elusive, but enterprises should prepare for an escalation in cyberspace.π Read
via "Dark Reading".
Dark Reading
A Level-Set on Russia-Borne Cyber Threats
As hostilities mount between Russia and Ukraine, new and more dangerous cyberattacks are likely to develop. Pinpointing sources and motives will remain elusive, but enterprises should prepare for an escalation in cyberspace.
π΄ Are You Prepared to Defend Against a USB Attack? π΄
π Read
via "Dark Reading".
Recent "BadUSB" attacks serve as a reminder of the big damage that small devices can cause.π Read
via "Dark Reading".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
π1
βΌ CVE-2022-22296 βΌ
π Read
via "National Vulnerability Database".
Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.π Read
via "National Vulnerability Database".
π1
π Lynis Auditing Tool 3.0.7 π
π Read
via "Packet Storm Security".
Lynis is an auditing tool for Unix (specialists). It scans the system and available software to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems.π Read
via "Packet Storm Security".
Packetstormsecurity
Lynis Auditing Tool 3.0.7 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers