βΌ CVE-2021-24775 βΌ
π Read
via "National Vulnerability Database".
The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24763 βΌ
π Read
via "National Vulnerability Database".
The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any surveyπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24919 βΌ
π Read
via "National Vulnerability Database".
The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2021-46253 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the Create Post function of Anchor CMS v0.12.7 allows attackers to execute arbitrary web scripts or HTML.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24944 βΌ
π Read
via "National Vulnerability Database".
The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24900 βΌ
π Read
via "National Vulnerability Database".
The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24707 βΌ
π Read
via "National Vulnerability Database".
The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25072 βΌ
π Read
via "National Vulnerability Database".
The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24765 βΌ
π Read
via "National Vulnerability Database".
The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0417 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in Conda vim prior to 8.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24983 βΌ
π Read
via "National Vulnerability Database".
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
ποΈ SureMDM bug chain enabled wholesale compromise of managed devices ποΈ
π Read
via "The Daily Swig".
Series of flaws in MDM platform addressed in web console and Linux agentπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
SureMDM bug chain enabled wholesale compromise of managed devices
Series of flaws in MDM platform addressed in web console and Linux agent
π΄ Mastercard Launches Global Cybersecurity Alliance Program to Further Secure The Digital Ecosystem π΄
π Read
via "Dark Reading".
New program helps partners accelerate growth and provide scaled delivery of critical cybersecurity and risk services.π Read
via "Dark Reading".
Dark Reading
Mastercard Launches Global Cybersecurity Alliance Program to Further Secure The Digital Ecosystem
New program helps partners accelerate growth and provide scaled delivery of critical cybersecurity and risk services.
π΄ Qualys Adds Advanced Remediation Capabilities to Minimize Vulnerability Risk π΄
π Read
via "Dark Reading".
Update to Qualys Cloud Platform enables organizations to fix asset misconfigurations in addition to patching to achieve comprehensive remediation.π Read
via "Dark Reading".
Dark Reading
Qualys Adds Advanced Remediation Capabilities to Minimize Vulnerability Risk
Update to Qualys Cloud Platform enables organizations to fix asset misconfigurations in addition to patching to achieve comprehensive remediation.
ποΈ Critical Samba flaw presents code execution threat ποΈ
π Read
via "The Daily Swig".
Urgent patching of file-sharing technology urgedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Critical Samba flaw presents code execution threat
Urgent patching of file-sharing technology urged
βΌ CVE-2021-38560 βΌ
π Read
via "National Vulnerability Database".
Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44746 βΌ
π Read
via "National Vulnerability Database".
UNIVERGE DT 820 V3.2.7.0 and prior, UNIVERGE DT 830 V5.2.7.0 and prior, UNIVERGE DT 930 V2.4.0.0 and prior, IP Phone Manager V8.9.1 and prior, Data Maintenance Tool for DT900 Series V5.3.0.0 and prior, Data Maintenance Tool for DT800 Series V4.2.0.0 and prior allows a remote attacker who can access to the internal network, the configuration information may be obtained.π Read
via "National Vulnerability Database".
β Website operator fined for using Google Fonts βthe cloudy wayβ β
π Read
via "Naked Security".
Google Fonts are OK, it seems, but only if everyone keeps their own copy of the fonts they use.π Read
via "Naked Security".
Naked Security
Website operator fined for using Google Fonts βthe cloudy wayβ
Google Fonts are OK, it seems, but only if everyone keeps their own copy of the fonts they use.
π΄ Complexity vs. Capability: How to Bridge the Security Effectiveness Gap π΄
π Read
via "Dark Reading".
Consolidation and automation are among the strategies for balancing security complexity and capability.π Read
via "Dark Reading".
Dark Reading
Complexity vs. Capability: How to Bridge the Security Effectiveness Gap
Consolidation and automation are among the strategies for balancing security complexity and capability.
β Linux kernel patches βperformance can be harmfulβ bug in video driver β
π Read
via "Naked Security".
This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.π Read
via "Naked Security".
Naked Security
Linux kernel patches βperformance can be harmfulβ bug in video driver
This bug is fiendishly hard to exploit β but if you patch, it wonβt be there to exploit at all.
π΄ 7 Red Flags That Can Stop Your Company From Becoming a Unicorn π΄
π Read
via "Dark Reading".
Investors and venture capitalists share the reasons that make them turn away from investing in your security tech.π Read
via "Dark Reading".
Dark Reading
7 Red Flags That Can Stop Your Company From Becoming a Unicorn
Investors and venture capitalists share the reasons that make them turn away from investing in your security tech.