‼ CVE-2022-1094 ‼
📖 Read
via "National Vulnerability Database".
The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0656 ‼
📖 Read
via "National Vulnerability Database".
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25866 ‼
📖 Read
via "National Vulnerability Database".
The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4225 ‼
📖 Read
via "National Vulnerability Database".
The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29419 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection (SQLi) vulnerability in Don Crowther's 3xSocializer plugin <= 0.98.22 at WordPress possible for users with a low role like a subscriber or higher.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28290 ‼
📖 Read
via "National Vulnerability Database".
Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP request📖 Read
via "National Vulnerability Database".
🕴 Mastercard Launches Next-Generation Identity Technology with Microsoft 🕴
📖 Read
via "Dark Reading".
New 'trust' tool improves online experience and helps tackle digital fraud.📖 Read
via "Dark Reading".
Dark Reading
Mastercard Launches Next-Generation Identity Technology with Microsoft
New 'trust' tool improves online experience and helps tackle digital fraud.
🕴 When Security Meets Development: The DevSecOps Conundrum 🕴
📖 Read
via "Dark Reading".
The DevSecOps journey is well worth undertaking because it can improve communication, speed up development, and ensure quality products.📖 Read
via "Dark Reading".
Dark Reading
When Security Meets Development: The DevSecOps Conundrum
The DevSecOps journey is well worth undertaking because it can improve communication, speed up development, and ensure quality products.
‼ CVE-2021-35250 ‼
📖 Read
via "National Vulnerability Database".
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23457 ‼
📖 Read
via "National Vulnerability Database".
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.📖 Read
via "National Vulnerability Database".
🕴 North Korean State Actors Deploying Novel Malware to Spy on Journalists 🕴
📖 Read
via "Dark Reading".
Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.📖 Read
via "Dark Reading".
Dark Reading
North Korean State Actors Deploying Novel Malware to Spy on Journalists
Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.
🕴 Iranian Hacking Group Among Those Exploiting Recently Disclosed VMWare RCE Flaw 🕴
📖 Read
via "Dark Reading".
Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.📖 Read
via "Dark Reading".
Dark Reading
Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw
Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.
🕴 What the ECDSA Flaw in Java Means for Enterprises 🕴
📖 Read
via "Dark Reading".
This Tech Tip reminds developers and security teams to check what version of Java they are running. Whether they are vulnerable to the ECDSA flaw boils down to the version number.📖 Read
via "Dark Reading".
Dark Reading
What the ECDSA Flaw in Java Means for Enterprises
This Tech Tip reminds developers and security teams to check what version of Java they are running. Whether they are vulnerable to the ECDSA flaw boils down to the version number.
👍1
‼ CVE-2022-24880 ‼
📖 Read
via "National Vulnerability Database".
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29499 ‼
📖 Read
via "National Vulnerability Database".
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29806 ‼
📖 Read
via "National Vulnerability Database".
ZoneMinder before 1.36.13 allows remote code execution via an invalid language.📖 Read
via "National Vulnerability Database".
❌ Firms Push for CVE-Like Cloud Bug System ❌
📖 Read
via "Threat Post".
Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.📖 Read
via "Threat Post".
Threat Post
Firms Push for CVE-Like Cloud Bug System
Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.
‼ CVE-2022-24706 ‼
📖 Read
via "National Vulnerability Database".
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.📖 Read
via "National Vulnerability Database".
🕴 SecurityScorecard Launches Cyber Risk Quantification Portfolio 🕴
📖 Read
via "Dark Reading".
SecurityScorecard's Cyber Risk Quantification portfolio helps customers understand the financial impact of a cyber-attack.📖 Read
via "Dark Reading".
Dark Reading
SecurityScorecard Launches Cyber Risk Quantification Portfolio
SecurityScorecard's Cyber Risk Quantification portfolio helps customers understand the financial impact of a cyber-attack.
👍1
🕴 Introducing Apostro: A Risk Management Platform for Web3 Security 🕴
📖 Read
via "Dark Reading".
Apostro's system will monitor all transactions to identify malicious behavior that can cause damage to DeFi protocols.📖 Read
via "Dark Reading".
Dark Reading
Introducing Apostro: A Risk Management Platform for Web3 Security
Apostro's system will monitor all transactions to identify malicious behavior that can cause damage to DeFi protocols.
🛠 GNU Privacy Guard 2.2.35 🛠
📖 Read
via "Packet Storm Security".
GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions. This is the LTS release.📖 Read
via "Packet Storm Security".
Packetstormsecurity
GNU Privacy Guard 2.2.35 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers