β RubyGems supply chain rip-and-replace bug fixed β check your logs! β
π Read
via "Naked Security".
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".π Read
via "Naked Security".
Naked Security
RubyGems supply chain rip-and-replace bug fixed β check your logs!
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself βFrankβ.
β You didnβt leave enough space between ROSE and AND, and AND and CROWN β
π Read
via "Naked Security".
What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?π Read
via "Naked Security".
Naked Security
You didnβt leave enough space between ROSE and AND, and AND and CROWN
What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?
βΌ CVE-2022-23332 βΌ
π Read
via "National Vulnerability Database".
Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27224 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address).π Read
via "National Vulnerability Database".
βΌ CVE-2022-1631 βΌ
π Read
via "National Vulnerability Database".
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the VictimΓ’β¬β’s Email. This allows an attacker to gain pre-authentication to the victimΓ’β¬β’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attackerΓ’β¬β’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employeeΓ’β¬β’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employeeΓ’β¬β’s account.π Read
via "National Vulnerability Database".
β FBI: Rise in Business Email-based Attacks is a $43B Headache β
π Read
via "Threat Post".
A huge spike in fraudulent activities related to attacks leveraging business email accounts is a billion-dollar-problem.π Read
via "Threat Post".
Threat Post
FBI: Rise in Business Email-based Attacks is a $43B Headache
A huge spike in fraudulent activities related to attacks leveraging business email accounts is a billion-dollar-problem.
π΄ Deloitte Launches Expanded Cloud Security Management Platform π΄
π Read
via "Dark Reading".
The CSM by Deloitte platform includes cloud security policy orchestration, cyber predictive analytics, attack surface management, and cyber cloud managed services.π Read
via "Dark Reading".
Darkreading
Deloitte Launches Expanded Cloud Security Management Platform
The CSM by Deloitte platform includes cloud security policy orchestration, cyber predictive analytics, attack surface management, and cyber cloud managed services.
βΌ CVE-2022-0814 βΌ
π Read
via "National Vulnerability Database".
The Ubigeo de PerΓΖΓΒΊ para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injectionsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1104 βΌ
π Read
via "National Vulnerability Database".
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0836 βΌ
π Read
via "National Vulnerability Database".
The SEMA API WordPress plugin through 3.64 does not properly sanitise and escape some parameters before using them in SQL statements via an AJAX action, leading to SQL Injections exploitable by unauthenticated usersπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1013 βΌ
π Read
via "National Vulnerability Database".
The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0948 βΌ
π Read
via "National Vulnerability Database".
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1338 βΌ
π Read
via "National Vulnerability Database".
The Easily Generate Rest API Url WordPress plugin through 1.0.0 does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2021-20479 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak System 2.3.0 through 2.3.3.3 Interim Fix 1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 197498.π Read
via "National Vulnerability Database".
βΌ CVE-2019-25060 βΌ
π Read
via "National Vulnerability Database".
The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0592 βΌ
π Read
via "National Vulnerability Database".
The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1171 βΌ
π Read
via "National Vulnerability Database".
The Vertical scroll recent post WordPress plugin before 14.0 does not sanitise and escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-22319 βΌ
π Read
via "National Vulnerability Database".
IBM Robotic Process Automation 21.0.1 could allow a register user on the system to physically delete a queue that could cause disruption for any scripts dependent on the queue. IBM X-Force ID: 218366.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0817 βΌ
π Read
via "National Vulnerability Database".
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated usersπ Read
via "National Vulnerability Database".
βΌ CVE-2022-28162 βΌ
π Read
via "National Vulnerability Database".
Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0826 βΌ
π Read
via "National Vulnerability Database".
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated usersπ Read
via "National Vulnerability Database".