βΌ CVE-2022-26111 βΌ
π Read
via "National Vulnerability Database".
The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.π Read
via "National Vulnerability Database".
β Phishing goes KISS: Donβt let plain and simple messages catch you out! β
π Read
via "Naked Security".
Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because they're uncomplicated.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Ukraine Invasion Driving DDoS Attacks to All-Time Highs π΄
π Read
via "Dark Reading".
Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.π Read
via "Dark Reading".
Dark Reading
Ukraine Invasion Driving DDoS Attacks to All-Time Highs
Unprecedented numbers of DDoS attacks since February are the result of hacktivists' cyberwar against Russian state interests, researchers say.
π1
βΌ CVE-2022-0953 βΌ
π Read
via "National Vulnerability Database".
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode charactersπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0398 βΌ
π Read
via "National Vulnerability Database".
The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary websiteπ Read
via "National Vulnerability Database".
βΌ CVE-2022-26597 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in the Layout module's Open Graph integration in Liferay Portal 7.3.0 through 7.4.0, and Liferay DXP 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the site name.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22392 βΌ
π Read
via "National Vulnerability Database".
IBM Planning Analytics Local 2.0 could allow an attacker to upload arbitrary executable files which, when executed by an unsuspecting victim could result in code execution. IBM X-Force ID: 222066.π Read
via "National Vulnerability Database".
βΌ CVE-2022-26596 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in Journal module's web content display configuration page in Liferay Portal 7.1.0 through 7.3.3, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19, and 7.2 before fix pack 8, allows remote attackers to inject arbitrary web script or HTML via web content template names.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24957 βΌ
π Read
via "National Vulnerability Database".
The Advanced Page Visit Counter WordPress plugin through 5.0.8 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1441 βΌ
π Read
via "National Vulnerability Database".
MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function `diST_box_read()` to read from video. In this function, it allocates a buffer `str` with fixed length. However, content read from `bs` is controllable by user, so is the length, which causes a buffer overflow.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0287 βΌ
π Read
via "National Vulnerability Database".
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blogπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0657 βΌ
π Read
via "National Vulnerability Database".
The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.π Read
via "National Vulnerability Database".
βΌ CVE-2022-29417 βΌ
π Read
via "National Vulnerability Database".
Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin <= 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1156 βΌ
π Read
via "National Vulnerability Database".
The Books & Papers WordPress plugin through 0.20210223 does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2021-39040 βΌ
π Read
via "National Vulnerability Database".
IBM Planning Analytics Workspace 2.0 could be vulnerable to malicious file upload by not validating the file types or sizes. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 214025.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46780 βΌ
π Read
via "National Vulnerability Database".
The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1153 βΌ
π Read
via "National Vulnerability Database".
The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1392 βΌ
π Read
via "National Vulnerability Database".
The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issuesπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1152 βΌ
π Read
via "National Vulnerability Database".
The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0363 βΌ
π Read
via "National Vulnerability Database".
The myCred WordPress plugin before 2.4.4 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1094 βΌ
π Read
via "National Vulnerability Database".
The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".