βΌ CVE-2022-44354 βΌ
π Read
via "National Vulnerability Database".
SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46148 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the `stable` branch and versions 2.9.0.beta11 and prior on the `beta` and `tests-passed` branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS on sites which have modified or disabled DiscourseΓ’β¬β’s default Content Security Policy. This issue is patched in the latest stable, beta and tests-passed versions of Discourse.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46150 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This issue is patched in version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches. As a workaround, use the `disable_email` site setting to disable all emails to non-staff users.π Read
via "National Vulnerability Database".
π΄ Oracle Fusion Middleware Flaw Flagged by CISA π΄
π Read
via "Dark Reading".
The bug could allow unauthorized access and takeover, earning it a spot on the Known Exploited Vulnerabilities Catalog.π Read
via "Dark Reading".
Dark Reading
Oracle Fusion Middleware Flaw Flagged by CISA
The bug could allow unauthorized access and takeover, earning it a spot on the Known Exploited Vulnerabilities Catalog.
βΌ CVE-2022-44279 βΌ
π Read
via "National Vulnerability Database".
Garage Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /garage/php_action/createBrand.php.π Read
via "National Vulnerability Database".
π΄ Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw π΄
π Read
via "Dark Reading".
The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.π Read
via "Dark Reading".
Dark Reading
Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw
The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.
π΄ How to Use Cyber Deception to Counter an Evolving and Advanced Threat Landscape π΄
π Read
via "Dark Reading".
Organizations must be prepared to root out bad actors by any means possible, even if it means setting traps and stringing lures.π Read
via "Dark Reading".
Dark Reading
How to Use Cyber Deception to Counter an Evolving and Advanced Threat Landscape
Organizations must be prepared to root out bad actors by any means possible, even if it means setting traps and stringing lures.
π΄ Microsoft Defender Gets New Security Protections π΄
π Read
via "Dark Reading".
The new Microsoft Defender for Endpoint capabilities include built-in protection and scanning network traffic for malicious activity.π Read
via "Dark Reading".
Dark Reading
Microsoft Defender Gets New Security Protections
The new Microsoft Defender for Endpoint capabilities include built-in protection and scanning network traffic for malicious activity.
π1
βΌ CVE-2022-4027 βΌ
π Read
via "National Vulnerability Database".
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4033 βΌ
π Read
via "National Vulnerability Database".
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3898 βΌ
π Read
via "National Vulnerability Database".
The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4032 βΌ
π Read
via "National Vulnerability Database".
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36962 βΌ
π Read
via "National Vulnerability Database".
SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4031 βΌ
π Read
via "National Vulnerability Database".
The Simple:Press plugin for WordPress is vulnerable to arbitrary file modifications in versions up to, and including, 6.8 via the 'file' parameter which does not properly restrict files to be edited in the context of the plugin. This makes it possible with attackers, with high-level permissions such as an administrator, to supply paths to arbitrary files on the server that can be modified outside of the intended scope of the plugin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3361 βΌ
π Read
via "National Vulnerability Database".
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36960 βΌ
π Read
via "National Vulnerability Database".
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3383 βΌ
π Read
via "National Vulnerability Database".
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3747 βΌ
π Read
via "National Vulnerability Database".
The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3896 βΌ
π Read
via "National Vulnerability Database".
The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36964 βΌ
π Read
via "National Vulnerability Database".
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3897 βΌ
π Read
via "National Vulnerability Database".
The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.π Read
via "National Vulnerability Database".