‼ CVE-2022-35234 ‼
📖 Read
via "National Vulnerability Database".
Trend Micro Security 2021 and 2022 (Consumer) is vulnerable to an Out-Of-Bounds Read Information Disclosure Vulnerability that could allow an attacker to read sensitive information from other memory locations and cause a crash on an affected machine.📖 Read
via "National Vulnerability Database".
🤔1
‼ CVE-2022-30083 ‼
📖 Read
via "National Vulnerability Database".
EllieGrid Android Application version 3.4.1 is vulnerable to Code Injection. The application appears to evaluate user input as code (remote).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33158 ‼
📖 Read
via "National Vulnerability Database".
Trend Micro VPN Proxy Pro version 5.2.1026 and below contains a vulnerability involving some overly permissive folders in a key directory which could allow a local attacker to obtain privilege escalation on an affected system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27785 ‼
📖 Read
via "National Vulnerability Database".
HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website.📖 Read
via "National Vulnerability Database".
🗓️ CompleteFTP path traversal flaw allowed attackers to delete server files 🗓️
📖 Read
via "The Daily Swig".
Security issue fixed in version 22.1.1 of file transfer software📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
CompleteFTP path traversal flaw allowed attackers to delete server files
Security issue fixed in version 22.1.1 of file transfer software
❌ Securing Your Move to the Hybrid Cloud ❌
📖 Read
via "Threat Post".
Infosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.📖 Read
via "Threat Post".
Threat Post
Securing Your Move to the Hybrid Cloud
Infosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.
🕴 For Big Tech, Neutrality Is Not an Option — and Never Really Was 🕴
📖 Read
via "Dark Reading".
Tech companies play a vital role in global communication, which has profound effects on how politics, policies, and human rights issues play out.📖 Read
via "Dark Reading".
Dark Reading
For Big Tech, Neutrality Is Not an Option — and Never Really Was
Tech companies play a vital role in global communication, which has profound effects on how politics, policies, and human rights issues play out.
‼ CVE-2022-2241 ‼
📖 Read
via "National Vulnerability Database".
The Featured Image from URL (FIFU) WordPress plugin before 4.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1324 ‼
📖 Read
via "National Vulnerability Database".
The Event Timeline WordPress plugin through 1.1.5 does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2245 ‼
📖 Read
via "National Vulnerability Database".
The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2171 ‼
📖 Read
via "National Vulnerability Database".
The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1950 ‼
📖 Read
via "National Vulnerability Database".
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1585 ‼
📖 Read
via "National Vulnerability Database".
The Project Source Code Download WordPress plugin through 1.0.0 does not protect its backup generation and download functionalities, which may allow any visitors on the site to download the entire site, including sensitive files like wp-config.php.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-2181 ‼
📖 Read
via "National Vulnerability Database".
The Advanced WordPress Reset WordPress plugin before 1.6 does not escape some generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2170 ‼
📖 Read
via "National Vulnerability Database".
The Microsoft Advertising Universal Event Tracking (UET) WordPress plugin before 1.0.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Due to the nature of this plugin, well crafted XSS can also leak into the frontpage.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-27255 ‼
📖 Read
via "National Vulnerability Database".
In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2184 ‼
📖 Read
via "National Vulnerability Database".
The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1600 ‼
📖 Read
via "National Vulnerability Database".
The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26308 ‼
📖 Read
via "National Vulnerability Database".
Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2215 ‼
📖 Read
via "National Vulnerability Database".
The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2325 ‼
📖 Read
via "National Vulnerability Database".
The Invitation Based Registrations WordPress plugin through 2.2.84 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".