βΌ CVE-2022-0969 βΌ
π Read
via "National Vulnerability Database".
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1008 βΌ
π Read
via "National Vulnerability Database".
The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0271 βΌ
π Read
via "National Vulnerability Database".
The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24986 βΌ
π Read
via "National Vulnerability Database".
The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search formπ Read
via "National Vulnerability Database".
βΌ CVE-2022-27041 βΌ
π Read
via "National Vulnerability Database".
Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0471 βΌ
π Read
via "National Vulnerability Database".
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2022-27111 βΌ
π Read
via "National Vulnerability Database".
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.π Read
via "National Vulnerability Database".
ποΈ Access control vulnerability in Easy!Appointments platform exposed sensitive personal data ποΈ
π Read
via "The Daily Swig".
Unprotected API could expose names, places, times of bookings made using appπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Access control vulnerability in Easy!Appointments platform exposed sensitive personal data
Unprotected API could expose names, places, times of bookings made using app
β Popular Ruby Asciidoc toolkit patched against critical vuln β get the update now! β
π Read
via "Naked Security".
A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.π Read
via "Naked Security".
Naked Security
Popular Ruby Asciidoc toolkit patched against critical vuln β get the update now!
A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.
π΄ Creating a Security Culture Where People Can Admit Mistakes π΄
π Read
via "Dark Reading".
In cybersecurity, user error is the symptom, not the disease. A healthy culture acknowledges and addresses the underlying causes of lapses.π Read
via "Dark Reading".
Dark Reading
Creating a Security Culture Where People Can Admit Mistakes
In cybersecurity, user error is the symptom, not the disease. A healthy culture acknowledges and addresses the underlying causes of lapses.
π΄ 10 Signs of a Good Security Leader π΄
π Read
via "Dark Reading".
Strong leadership can lead to motivated and loyal employees. Here's what that looks like.π Read
via "Dark Reading".
Dark Reading
10 Signs of a Good Security Leader
Strong leadership can lead to motivated and loyal employees. Here's what that looks like.
β OpenSSH goes Post-Quantum, switches to qubit-busting crypto by default β
π Read
via "Naked Security".
Useful quantum computers might not actually be possible. But what if they are? And what if they arrive, say, tomorrow?π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ SafeGuard Cyber Provides Security Advice for Defending Against Browser-in-the-Browser (BitB) Attacks π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
SafeGuard Cyber Provides Security Advice for Defending Against Browser-in-the-Browser (BitB) Attacks
π΄ Imprivata Acquires SecureLink to Deliver a Single-Vendor Platform to Manage and Secure All Enterprise and Third-Party Digital Identities π΄
π Read
via "Dark Reading".
Imprivata will unlock further value for customers by unifying, integrating, and automating digital identity to enable autonomous identity systems.π Read
via "Dark Reading".
Dark Reading
Imprivata Acquires SecureLink to Deliver a Single-Vendor Platform to Manage and Secure All Enterprise and Third-Party Digital Identities
Imprivata will unlock further value for customers by unifying, integrating, and automating digital identity to enable autonomous identity systems.
β Microsoft Takes Down Domains Used in Cyberattack Against Ukraine β
π Read
via "Threat Post".
The APT28 (Advanced persistence threat) is operating since 2009, this group has worked under different names such as Sofacy, Sednit, Strontium Storm, Fancy Bear, Iron Twilight, and Pawn.π Read
via "Threat Post".
Threat Post
Microsoft Takes Down Domains Used in Cyberattack Against Ukraine
Microsoft steps up defensive actions to βdefend against an onslaught of cyberwarfare that has escalated since the invasionβ of Ukraine.
π Haveged 1.9.18 π
π Read
via "Packet Storm Security".
haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.π Read
via "Packet Storm Security".
Packetstormsecurity
Haveged 1.9.18 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2021-40219 βΌ
π Read
via "National Vulnerability Database".
Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38930 βΌ
π Read
via "National Vulnerability Database".
IBM System Storage DS8000 Management Console (HMC) R8.5 88.5x.x.x, R9.1 89.1x.0.0, and R9.2 89.2x.0.0 could allow a remote attacker to obtain sensitive information through unpublished URLs. IBM X-Force ID: 210331.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43442 βΌ
π Read
via "National Vulnerability Database".
A Logic Flaw vulnerability exists in i3 International Inc Annexxus Camera V5.2.0 build 150317 (Ax46), V5.0.9 build 151106 (Ax68), and V5.0.9 build 150615 (Ax78) due to a failure to allow the creation of more than one administrator account; however, this can be bypassed by parameter maniulation using PUT and DELETE and by calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37293 βΌ
π Read
via "National Vulnerability Database".
A Directory Traversal vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 via the page GET parameter in index.php.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37292 βΌ
π Read
via "National Vulnerability Database".
An Access Control vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 due to an undocumented backdoor account. A malicious user can log in using the backdor account with admin highest privileges and obtain system control.π Read
via "National Vulnerability Database".