βΌ CVE-2021-36460 βΌ
π Read
via "National Vulnerability Database".
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28053 βΌ
π Read
via "National Vulnerability Database".
Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
π΄ Trend Micro Launches New Security Platform π΄
π Read
via "Dark Reading".
An ecosystem of native and third-party integrations provides visibility and control across the entire attack surface.π Read
via "Dark Reading".
Dark Reading
Trend Micro Launches New Security Platform
An ecosystem of native and third-party integrations provides visibility and control across the entire attack surface.
ποΈ IBM database updates address critical vulnerabilities in third-party XML parser ποΈ
π Read
via "The Daily Swig".
Flaws in popular parser prompt updates from numerous downstream vendorsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
IBM database updates address critical vulnerabilities in third-party XML parser
Flaws in popular parser prompt updates from numerous downstream vendors
π1
β QNAP warns of new bugs in its Network Attached Storage devices β
π Read
via "Naked Security".
Here's what you need to know - plus some sensible advice for all the devices on your home or small biz network!π Read
via "Naked Security".
Naked Security
QNAP warns of new bugs in its Network Attached Storage devices
Hereβs what you need to know β plus some sensible advice for all the devices on your home or small biz network!
βΌ CVE-2022-28093 βΌ
π Read
via "National Vulnerability Database".
SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to execute arbitrary code via a crafted PHP file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29078 βΌ
π Read
via "National Vulnerability Database".
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).π Read
via "National Vulnerability Database".
βΌ CVE-2022-28094 βΌ
π Read
via "National Vulnerability Database".
SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the fid parameter at booking.php.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26111 βΌ
π Read
via "National Vulnerability Database".
The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.π Read
via "National Vulnerability Database".
β Phishing goes KISS: Donβt let plain and simple messages catch you out! β
π Read
via "Naked Security".
Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because they're uncomplicated.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Ukraine Invasion Driving DDoS Attacks to All-Time Highs π΄
π Read
via "Dark Reading".
Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.π Read
via "Dark Reading".
Dark Reading
Ukraine Invasion Driving DDoS Attacks to All-Time Highs
Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.
π1
βΌ CVE-2022-0953 βΌ
π Read
via "National Vulnerability Database".
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode charactersπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0398 βΌ
π Read
via "National Vulnerability Database".
The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary websiteπ Read
via "National Vulnerability Database".
βΌ CVE-2022-26597 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22392 βΌ
π Read
via "National Vulnerability Database".
IBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 222066.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26596 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24957 βΌ
π Read
via "National Vulnerability Database".
The Advanced Page Visit Counter WordPress plugin through 5.0.8 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1441 βΌ
π Read
via "National Vulnerability Database".
MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function `diST_box_read()` to read from video. In this function, it allocates a buffer `str` with fixed length. However, content read from `bs` is controllable by user, so is the length, which causes a buffer overflow.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0287 βΌ
π Read
via "National Vulnerability Database".
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blogπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0657 βΌ
π Read
via "National Vulnerability Database".
The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29417 βΌ
π Read
via "National Vulnerability Database".
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.π Read
via "National Vulnerability Database".