β Fake Reservation Links Prey on Weary Travelers β
π Read
via "Threat Post".
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.π Read
via "Threat Post".
Threat Post
Fake Reservation Links Prey on Weary Travelers
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
βΌ CVE-2022-1340 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-2930 βΌ
π Read
via "National Vulnerability Database".
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.π Read
via "National Vulnerability Database".
π1
β Laptop denial-of-service via music: the 1980s R&B song with a CVE! β
π Read
via "Naked Security".
We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)π Read
via "Naked Security".
Naked Security
Laptop denial-of-service via music: the 1980s R&B song with a CVE!
We havenβt validated this vuln ourselvesβ¦ but the source of the story is impeccable. (Impeccably dressed, at least.)
βΌ CVE-2022-2312 βΌ
π Read
via "National Vulnerability Database".
The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2594 βΌ
π Read
via "National Vulnerability Database".
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3586 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-2593 βΌ
π Read
via "National Vulnerability Database".
The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24911 βΌ
π Read
via "National Vulnerability Database".
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33900 βΌ
π Read
via "National Vulnerability Database".
PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2890 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2555 βΌ
π Read
via "National Vulnerability Database".
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2392 βΌ
π Read
via "National Vulnerability Database".
The Lana Downloads Manager WordPress plugin before 1.8.0 is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35654 βΌ
π Read
via "National Vulnerability Database".
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2557 βΌ
π Read
via "National Vulnerability Database".
The Team WordPress plugin before 4.1.2 contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the userπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2362 βΌ
π Read
via "National Vulnerability Database".
The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based download blocking restrictions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2558 βΌ
π Read
via "National Vulnerability Database".
The Simple Job Board WordPress plugin before 2.10.0 is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36346 βΌ
π Read
via "National Vulnerability Database".
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35656 βΌ
π Read
via "National Vulnerability Database".
Pega Platform from 8.3 to 8.7.3 vulnerability may allow authenticated security administrators to alter CSRF settings directly.π Read
via "National Vulnerability Database".
βΌ CVE-2022-34775 βΌ
π Read
via "National Vulnerability Database".
Tabit - Excessive data exposure. Another endpoint mapped by the tiny url, was one for reservation cancellation, containing the MongoDB ID of the reservation, and organization. This can be used to query the http://tgm-api.tabit.cloud/rsv/management/{reservationId}?organization={orgId} API which returns a lot of data regarding the reservation (OWASP: API3): Name, mail, phone number, the number of visits of the user to this specific restaurant, the money he spent there, the money he spent on alcohol, whether he left a deposit etc. This information can easily be used for a phishing attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35655 βΌ
π Read
via "National Vulnerability Database".
Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.π Read
via "National Vulnerability Database".