βΌ CVE-2022-1528 βΌ
π Read
via "National Vulnerability Database".
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.9 does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1562 βΌ
π Read
via "National Vulnerability Database".
The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloadsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1527 βΌ
π Read
via "National Vulnerability Database".
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0642 βΌ
π Read
via "National Vulnerability Database".
The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1583 βΌ
π Read
via "National Vulnerability Database".
The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1542 βΌ
π Read
via "National Vulnerability Database".
The HPB Dashboard WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1589 βΌ
π Read
via "National Vulnerability Database".
The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vectorπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1568 βΌ
π Read
via "National Vulnerability Database".
The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1456 βΌ
π Read
via "National Vulnerability Database".
The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfiltered_html is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1646 βΌ
π Read
via "National Vulnerability Database".
The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1009 βΌ
π Read
via "National Vulnerability Database".
The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration fileπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1582 βΌ
π Read
via "National Vulnerability Database".
The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1556 βΌ
π Read
via "National Vulnerability Database".
The StaffList WordPress plugin before 3.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement when searching for Staff in the admin dashboard, leading to an SQL Injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1611 βΌ
π Read
via "National Vulnerability Database".
The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1294 βΌ
π Read
via "National Vulnerability Database".
The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-0376 βΌ
π Read
via "National Vulnerability Database".
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1387 βΌ
π Read
via "National Vulnerability Database".
The No Future Posts WordPress plugin through 1.4 does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1564 βΌ
π Read
via "National Vulnerability Database".
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowedπ Read
via "National Vulnerability Database".
π GRR 3.4.6.0 π
π Read
via "Packet Storm Security".
GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. GRR consists of 2 parts: client and server. GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. "Work" means running a specific action: downloading file, listing a directory, etc. GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.π Read
via "Packet Storm Security".
Packetstormsecurity
GRR 3.4.6.0 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β Zero-Day βFollinaβ Bug Lays Older Microsoft Office Versions Open to Attack β
π Read
via "Threat Post".
Malware loads itself from remote servers and bypasses Microsoft's Defender AV scanner, according to reports.π Read
via "Threat Post".
Threat Post
Zero-Day βFollinaβ Bug Lays Microsoft Office Open to Attack
Malware loads itself from remote servers and bypasses Microsoft's Defender AV scanner, according to reports.
π΄ 6 Steps to Ensure Cyber Resilience π΄
π Read
via "Dark Reading".
To minimize the impact of cyber incidents, organizations must be pragmatic and develop a strategy of resilience for dealing with break-ins, advanced malware, and data theft.π Read
via "Dark Reading".
Dark Reading
6 Steps to Ensure Cyber Resilience
To minimize the impact of cyber incidents, organizations must be pragmatic and develop a strategy of resilience for dealing with break-ins, advanced malware, and data theft.