βΌ CVE-2021-24974 βΌ
π Read
via "National Vulnerability Database".
The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24865 βΌ
π Read
via "National Vulnerability Database".
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25062 βΌ
π Read
via "National Vulnerability Database".
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24965 βΌ
π Read
via "National Vulnerability Database".
The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in adminsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24733 βΌ
π Read
via "National Vulnerability Database".
The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25031 βΌ
π Read
via "National Vulnerability Database".
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
ποΈ Chain of vulnerabilities led to RCE on Cisco Prime servers ποΈ
π Read
via "The Daily Swig".
Full chain exploit ready for Prime timeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Chain of vulnerabilities led to RCE on Cisco Prime servers
Full chain exploit ready for Prime time
β Alleged carder gang mastermind and three acolytes under arrest in Russia β
π Read
via "Naked Security".
The motto of the gang was "In Fraud We Trust", and they went by a dizzying range of online nicknames.π Read
via "Naked Security".
Naked Security
Alleged carder gang mastermind and three acolytes under arrest in Russia
The motto of the gang was βIn Fraud We Trustβ, and they went by a dizzying range of online nicknames.
ποΈ OpenSubtitles data breach: Users asked to re-secure accounts after plaintext password snafu ποΈ
π Read
via "The Daily Swig".
Movie translation site asked victims to reset passwordsβ¦ then sent them in clear textπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
OpenSubtitles data breach: Users asked to re-secure accounts after plaintext password snafu
Movie translation site asked victims to reset passwords⦠then sent them in clear text
π Logwatch 7.6 π
π Read
via "Packet Storm Security".
Logwatch analyzes and reports on unix system logs. It is a customizable and pluggable log monitoring system which will go through the logs for a given period of time and make a customizable report. It should work right out of the package on most systems.π Read
via "Packet Storm Security".
Packetstormsecurity
Logwatch 7.6 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2021-44981 βΌ
π Read
via "National Vulnerability Database".
In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, which allows for privilege escalation by means of RCE.π Read
via "National Vulnerability Database".
π΄ A Level-Set on Russia-Borne Cyber Threats π΄
π Read
via "Dark Reading".
As hostilities mount between Russia and Ukraine, new and more dangerous cyberattacks are likely to develop. Pinpointing sources and motives will remain elusive, but enterprises should prepare for an escalation in cyberspace.π Read
via "Dark Reading".
Dark Reading
A Level-Set on Russia-Borne Cyber Threats
As hostilities mount between Russia and Ukraine, new and more dangerous cyberattacks are likely to develop. Pinpointing sources and motives will remain elusive, but enterprises should prepare for an escalation in cyberspace.
π΄ Are You Prepared to Defend Against a USB Attack? π΄
π Read
via "Dark Reading".
Recent "BadUSB" attacks serve as a reminder of the big damage that small devices can cause.π Read
via "Dark Reading".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
π1
βΌ CVE-2022-22296 βΌ
π Read
via "National Vulnerability Database".
Sourcecodester Hospital's Patient Records Management System 1.0 is vulnerable to Insecure Permissions via the id parameter in manage_user endpoint. Simply change the value and data of other users can be displayed.π Read
via "National Vulnerability Database".
π1
π Lynis Auditing Tool 3.0.7 π
π Read
via "Packet Storm Security".
Lynis is an auditing tool for Unix (specialists). It scans the system and available software to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems.π Read
via "Packet Storm Security".
Packetstormsecurity
Lynis Auditing Tool 3.0.7 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
ποΈ RCE bug chain patched in CentOS Web Panel ποΈ
π Read
via "The Daily Swig".
Shell injected on servers via bypass of local file inclusion defensesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
RCE bug chain patched in Control Web Panel
Shell injected on servers via bypass of local file inclusion defenses
βΌ CVE-2021-41472 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23437 βΌ
π Read
via "National Vulnerability Database".
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4088 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability in Data Loss Protection (DLP) ePO extension 11.8.x prior to 11.8.100, 11.7.x prior to 11.7.101, and 11.6.401 allows a remote authenticated attacker to inject unfiltered SQL into the DLP part of the ePO database. This could lead to remote code execution on the ePO server with privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40596 βΌ
π Read
via "National Vulnerability Database".
SQL injection vulnerability in Login.php in sourcecodester Online Learning System v2 by oretnom23, allows attackers to execute arbitrary SQL commands via the faculty_id parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40909 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to /ajax_crud.π Read
via "National Vulnerability Database".