βΌ CVE-2022-3838 βΌ
π Read
via "National Vulnerability Database".
The WPUpper Share Buttons WordPress plugin through 3.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3249 βΌ
π Read
via "National Vulnerability Database".
The WP CSV Exporter WordPress plugin before 1.3.7 does not properly sanitise and escape some parameters before using them in a SQL statement, allowing high privilege users such as admin to perform SQL injection attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2022-3856 βΌ
π Read
via "National Vulnerability Database".
The Comic Book Management System WordPress plugin before 2.2.0 does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3846 βΌ
π Read
via "National Vulnerability Database".
The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3830 βΌ
π Read
via "National Vulnerability Database".
The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3926 βΌ
π Read
via "National Vulnerability Database".
The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client IDπ Read
via "National Vulnerability Database".
βΌ CVE-2022-3907 βΌ
π Read
via "National Vulnerability Database".
The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.π Read
via "National Vulnerability Database".
βΌ CVE-2022-3858 βΌ
π Read
via "National Vulnerability Database".
The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-3426 βΌ
π Read
via "National Vulnerability Database".
The Advanced WP Columns WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3909 βΌ
π Read
via "National Vulnerability Database".
The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-3694 βΌ
π Read
via "National Vulnerability Database".
The Syncee WordPress plugin before 1.0.10 leaks the administrator token that can be used to take over the administrator's account.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1540 βΌ
π Read
via "National Vulnerability Database".
The PostmagThemes Demo Import WordPress plugin through 1.0.7 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) leading to RCE.π Read
via "National Vulnerability Database".
π΄ Cybersecurity Should Focus on Managing Risk π΄
π Read
via "Dark Reading".
Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.π Read
via "Dark Reading".
Dark Reading
Cybersecurity Should Focus on Managing Risk
Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.
π΄ Cyberattack Shuts Down French Hospital π΄
π Read
via "Dark Reading".
Patients transferred and operations canceled following a recent network breach at a hospital in the outskirts of Paris.π Read
via "Dark Reading".
Dark Reading
Cyberattack Shuts Down French Hospital
Patients transferred and operations canceled following a recent network breach at a hospital in the outskirts of Paris.
βοΈ Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google βοΈ
π Read
via "Krebs on Security".
In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google's legal fees.π Read
via "Krebs on Security".
Krebs on Security
Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google
In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortiousβ¦
π΄ Hive Social Buzzing With Security Flaws, Analysts Warn π΄
π Read
via "Dark Reading".
Twitter alternative Hive Social took down its servers after researchers discovered several critical vulnerabilities.π Read
via "Dark Reading".
Dark Reading
Hive Social Buzzing With Security Flaws, Analysts Warn
Twitter alternative Hive Social took down its servers after researchers discovered several critical vulnerabilities.
βΌ CVE-2022-43516 βΌ
π Read
via "National Vulnerability Database".
A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI)π Read
via "National Vulnerability Database".
βΌ CVE-2022-43097 βΌ
π Read
via "National Vulnerability Database".
Phpgurukul User Registration & User Management System v3.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the registration form & login pages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43515 βΌ
π Read
via "National Vulnerability Database".
Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-4292 βΌ
π Read
via "National Vulnerability Database".
Use After Free in GitHub repository vim/vim prior to 9.0.0882.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23467 βΌ
π Read
via "National Vulnerability Database".
OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices.π Read
via "National Vulnerability Database".