‼ CVE-2021-46663 ‼
📖 Read
via "National Vulnerability Database".
MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46661 ‼
📖 Read
via "National Vulnerability Database".
MariaDB through 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46668 ‼
📖 Read
via "National Vulnerability Database".
MariaDB through 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures.📖 Read
via "National Vulnerability Database".
🕴 Coalition Launches Executive Risks Products With Personalized Risk Assessment 🕴
📖 Read
via "Dark Reading".
Coalition now offering Directors & Officers (D&O) and Employment Practices Liability (EPL) with new tools and features to all broker partners.📖 Read
via "Dark Reading".
Dark Reading
Coalition Launches Executive Risks Products With Personalized Risk Assessment
Coalition now offering Directors & Officers (D&O) and Employment Practices Liability (EPL) with new tools and features to all broker partners.
🕴 Cymulate Launches Service to Augment In-House Security Teams 🕴
📖 Read
via "Dark Reading".
Amplify bolsters organizations with limited resources to optimize their security posture.📖 Read
via "Dark Reading".
Dark Reading
Cymulate Launches Service to Augment In-House Security Teams
Amplify bolsters organizations with limited resources to optimize their security posture.
❌ Living Off the Land: How to Defend Against Malicious Use of Legitimate Utilities ❌
📖 Read
via "Threat Post".
LOLBins help attackers become invisible to security platforms. Uptycs provides a rundown of the most commonly abused native utilities for Windows, Linux and macOS – and advice for protection.📖 Read
via "Threat Post".
Threat Post
Living Off the Land: How to Defend Against Malicious Use of Legitimate Utilities
LOLBins help attackers become invisible to security platforms. Uptycs provides a rundown of the most commonly abused native utilities for Windows, Linux and macOS – and advice for protection.
🗓️ Decryption key released for DeadBolt ransomware after QNAP NAS devices infected 🗓️
📖 Read
via "The Daily Swig".
Tool enables decryption key to work after forced firmware update rendered it useless📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Decryption key released for DeadBolt ransomware after QNAP NAS devices infected
Tool enables decryption key to work after forced firmware update rendered it useless
🕴 Critical Log4j Vulnerabilities Are the Ultimate Gift for Cybercriminals 🕴
📖 Read
via "Dark Reading".
It's important to assume you have been vulnerable for months if not years, and to plan — and patch — accordingly.📖 Read
via "Dark Reading".
Dark Reading
Critical Log4j Vulnerabilities Are the Ultimate Gift for Cybercriminals
It's important to assume you have been vulnerable for months if not years, and to plan — and patch — accordingly.
‼ CVE-2022-23601 ‼
📖 Read
via "National Vulnerability Database".
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43848 ‼
📖 Read
via "National Vulnerability Database".
h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24686 ‼
📖 Read
via "National Vulnerability Database".
The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43509 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43510 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-25097 ‼
📖 Read
via "National Vulnerability Database".
The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication📖 Read
via "National Vulnerability Database".
‼ CVE-2021-25092 ‼
📖 Read
via "National Vulnerability Database".
The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24934 ‼
📖 Read
via "National Vulnerability Database".
The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24775 ‼
📖 Read
via "National Vulnerability Database".
The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24763 ‼
📖 Read
via "National Vulnerability Database".
The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24919 ‼
📖 Read
via "National Vulnerability Database".
The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46253 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the Create Post function of Anchor CMS v0.12.7 allows attackers to execute arbitrary web scripts or HTML.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24944 ‼
📖 Read
via "National Vulnerability Database".
The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".