βΌ CVE-2022-3420 βΌ
π Read
via "National Vulnerability Database".
The Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3773 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in EmbedPress Plugin and classified as problematic. Affected by this vulnerability is an unknown functionality of the file post.php of the component Shortcode Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212503.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40241 βΌ
π Read
via "National Vulnerability Database".
xfig 3.2.7 is vulnerable to Buffer Overflow.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3254 βΌ
π Read
via "National Vulnerability Database".
The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2022-3419 βΌ
π Read
via "National Vulnerability Database".
The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administratorπ Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-3357 βΌ
π Read
via "National Vulnerability Database".
The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3441 βΌ
π Read
via "National Vulnerability Database".
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)π Read
via "National Vulnerability Database".
βΌ CVE-2022-3237 βΌ
π Read
via "National Vulnerability Database".
The WP Contact Slider WordPress plugin before 2.4.8 does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2167 βΌ
π Read
via "National Vulnerability Database".
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-3366 βΌ
π Read
via "National Vulnerability Database".
The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40471 βΌ
π Read
via "National Vulnerability Database".
Remote Code Execution in Clinic's Patient Management System v 1.0 allows Attacker to Upload arbitrary php webshell via profile picture upload functionality in users.phpπ Read
via "National Vulnerability Database".
π1
βοΈ Accused βRaccoonβ Malware Developer Fled Ukraine After Russian Invasion βοΈ
π Read
via "Krebs on Security".
A 26-year-old Ukrainian man is awaiting extradition to the United States on charges that he acted as a core developer for Raccoon, a "malware-as-a-service" offering that helped paying customers steal passwords and financial data from millions of cybercrime victims. KrebsOnSecurity has learned that the defendant was busted in March 2022, after fleeing mandatory military service in Ukraine in the weeks following the Russian invasion.π Read
via "Krebs on Security".
Krebs on Security
Accused βRaccoonβ Malware Developer Fled Ukraine After Russian Invasion
A 26-year-old Ukrainian man is awaiting extradition to the United States on charges that he acted as a core developer for Raccoon, a "malware-as-a-service" offering that helped paying customers steal passwords and financial data from millions of cybercrimeβ¦
βΌ CVE-2022-41688 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lack proper authentication for functions that create and modify user groups. An attacker could provide malicious serialized objects that could run these functions without authentication to create a new user and add them to the administrator group.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40293 βΌ
π Read
via "National Vulnerability Database".
The application was vulnerable to a session fixation that could be used hijack accounts.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41644 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics InfraSuite Device Master versions 00.00.01a and prior lacks authentication for a function that changes group privileges. An attacker could use this to create a denial-of-service state or escalate their own privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40288 βΌ
π Read
via "National Vulnerability Database".
The application was vulnerable to an authenticated Stored Cross-Site Scripting (XSS) in the user profile data fields, which could be leveraged to escalate privileges within and compromise any account that views their user profile.π Read
via "National Vulnerability Database".
βΌ CVE-2022-28763 βΌ
π Read
via "National Vulnerability Database".
The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41772 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior mishandle .ZIP archives containing characters used in path traversal. This path traversal could result in remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-41657 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior allow attacker provided data already serialized into memory to be used in file operation application programmable interfaces (APIs). This could create arbitrary files, which could be used in API operations and could ultimately result in remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2022-42923 βΌ
π Read
via "National Vulnerability Database".
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the 'appCore/index.php?r=adm/mediagallery/delete' function in order to dump the entire database or delete all contents from the 'core_user_file' table.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40287 βΌ
π Read
via "National Vulnerability Database".
The application was found to be vulnerable to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in messaging functionality, leading to privilege escalation or a compromise of a targeted account.π Read
via "National Vulnerability Database".