‼ CVE-2022-0919 ‼
📖 Read
via "National Vulnerability Database".
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1023 ‼
📖 Read
via "National Vulnerability Database".
The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file📖 Read
via "National Vulnerability Database".
‼ CVE-2021-25090 ‼
📖 Read
via "National Vulnerability Database".
The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0920 ‼
📖 Read
via "National Vulnerability Database".
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0531 ‼
📖 Read
via "National Vulnerability Database".
The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the sub_page parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27089 ‼
📖 Read
via "National Vulnerability Database".
In Fujitsu PlugFree Network <= 7.3.0.3, an Unquoted service path in PFNService.exe software allows a local attacker to potentially escalate privileges to system level.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0828 ‼
📖 Read
via "National Vulnerability Database".
The Download Manager WordPress plugin before 3.2.39 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0314 ‼
📖 Read
via "National Vulnerability Database".
The Nimble Page Builder WordPress plugin before 3.2.2 does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0969 ‼
📖 Read
via "National Vulnerability Database".
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1008 ‼
📖 Read
via "National Vulnerability Database".
The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0271 ‼
📖 Read
via "National Vulnerability Database".
The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24986 ‼
📖 Read
via "National Vulnerability Database".
The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27041 ‼
📖 Read
via "National Vulnerability Database".
Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0471 ‼
📖 Read
via "National Vulnerability Database".
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27111 ‼
📖 Read
via "National Vulnerability Database".
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.📖 Read
via "National Vulnerability Database".
🗓️ Access control vulnerability in Easy!Appointments platform exposed sensitive personal data 🗓️
📖 Read
via "The Daily Swig".
Unprotected API could expose names, places, times of bookings made using app📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Access control vulnerability in Easy!Appointments platform exposed sensitive personal data
Unprotected API could expose names, places, times of bookings made using app
⚠ Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now! ⚠
📖 Read
via "Naked Security".
A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.📖 Read
via "Naked Security".
Naked Security
Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now!
A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.
🕴 Creating a Security Culture Where People Can Admit Mistakes 🕴
📖 Read
via "Dark Reading".
In cybersecurity, user error is the symptom, not the disease. A healthy culture acknowledges and addresses the underlying causes of lapses.📖 Read
via "Dark Reading".
Dark Reading
Creating a Security Culture Where People Can Admit Mistakes
In cybersecurity, user error is the symptom, not the disease. A healthy culture acknowledges and addresses the underlying causes of lapses.
🕴 10 Signs of a Good Security Leader 🕴
📖 Read
via "Dark Reading".
Strong leadership can lead to motivated and loyal employees. Here's what that looks like.📖 Read
via "Dark Reading".
Dark Reading
10 Signs of a Good Security Leader
Strong leadership can lead to motivated and loyal employees. Here's what that looks like.
⚠ OpenSSH goes Post-Quantum, switches to qubit-busting crypto by default ⚠
📖 Read
via "Naked Security".
Useful quantum computers might not actually be possible. But what if they are? And what if they arrive, say, tomorrow?📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
🕴 SafeGuard Cyber Provides Security Advice for Defending Against Browser-in-the-Browser (BitB) Attacks 🕴
📖 Read
via "Dark Reading".
📖 Read
via "Dark Reading".
Dark Reading
SafeGuard Cyber Provides Security Advice for Defending Against Browser-in-the-Browser (BitB) Attacks