βΌ CVE-2021-4332 βΌ
π Read
via "National Vulnerability Database".
The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1253 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, was found in SourceCodester Health Center Patient Record Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-222483.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4932 βΌ
π Read
via "National Vulnerability Database".
The Total Upkeep plugin for WordPress is vulnerable to information disclosure in versions up to, and including 1.14.13. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4931 βΌ
π Read
via "National Vulnerability Database".
The BackupWordPress plugin for WordPress is vulnerable to information disclosure in versions up to, and including 3.12. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24781 βΌ
π Read
via "National Vulnerability Database".
Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\MemberLevel.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36670 βΌ
π Read
via "National Vulnerability Database".
The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4333 βΌ
π Read
via "National Vulnerability Database".
The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.π Read
via "National Vulnerability Database".
βΌ CVE-2015-10087 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in UpThemes Theme DesignFolio Plus 1.2 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 53f6ae62878076f99718e5feb589928e83c879a9. It is recommended to apply a patch to fix this issue. The identifier VDB-221809 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4331 βΌ
π Read
via "National Vulnerability Database".
The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts, only author+ users can elevate privileges without interaction via a site administrator (to approve a post).π Read
via "National Vulnerability Database".
βΌ CVE-2023-26953 βΌ
π Read
via "National Vulnerability Database".
onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Administrator module.π Read
via "National Vulnerability Database".
β DoppelPaymer ransomware supsects arrested in Germany and Ukraine β
π Read
via "Naked Security".
Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in DΓΌsseldorf.π Read
via "Naked Security".
Naked Security
DoppelPaymer ransomware supsects arrested in Germany and Ukraine
Devices seized, suspects interrogated and arrested, allegedly connected to devastating cyberattack on University Hospital in DΓΌsseldorf.
π΄ Scams Security Pros Almost Fell For π΄
π Read
via "Dark Reading".
By working together as an industry, we can develop the technologies needed to account for human error.π Read
via "Dark Reading".
Dark Reading
Scams Security Pros Almost Fell For
By working together as an industry, we can develop the technologies needed to account for human error.
π΄ 99% of Cybersecurity Leaders Are Stressed About Email Security π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
99% of Cybersecurity Leaders Are Stressed About Email Security
LONDON, UK / March 7, 2023 - Egress, a cybersecurity company that provides intelligent email security, today released its Email Security Risk Report 2023. The report uncovers findings that demonstrate the prevalence of inbound and outbound email securityβ¦
π΄ Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour π΄
π Read
via "Dark Reading".
Third annual report identifies top security gaps and challenges for organizations operating in the cloud.π Read
via "Dark Reading".
Dark Reading
Palo Alto Survey Reveals 90% of Organizations Cannot Resolve Cyberthreats Within an Hour
Third annual report identifies top security gaps and challenges for organizations operating in the cloud.
β Serious Security: TPM 2.0 vulns β is your super-secure data at risk? β
π Read
via "Naked Security".
Security bugs in the very code you've been told you must have to improve the security of your computer...π Read
via "Naked Security".
Naked Security
Serious Security: TPM 2.0 vulns β is your super-secure data at risk?
Security bugs in the very code youβve been told you must have to improve the security of your computerβ¦
π΄ Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears π΄
π Read
via "Dark Reading".
More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.π Read
via "Dark Reading".
Dark Reading
Employees Are Feeding Sensitive Biz Data to ChatGPT, Raising Security Fears
More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information.
π΄ ManageEngine Launches Security and Risk Posture Management in its SIEM Solution π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
ManageEngine Launches Security and Risk Posture Management in its SIEM Solution
LONDON, United Kingdomβ March 7, 2023 β ManageEngine, the enterprise IT management division of Zoho Corporation, today announced that it has added a security and risk posture management dashboard to Log360, its unified security information and event managementβ¦
βΌ CVE-2023-25223 βΌ
π Read
via "National Vulnerability Database".
CRMEB <=1.3.4 is vulnerable to SQL Injection via /api/admin/user/list.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40676 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 allows attacker to execute unauthorized code or commands via specially crafted http requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25611 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23776 βΌ
π Read
via "National Vulnerability Database".
An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4 and 6.4.0 through 6.4.10 may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzerπ Read
via "National Vulnerability Database".