βΌ CVE-2023-1468 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipulation of the argument date_from/date_to leads to sql injection. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-223327.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1463 βΌ
π Read
via "National Vulnerability Database".
Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1467 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223326 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1469 βΌ
π Read
via "National Vulnerability Database".
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Γ’β¬Λpec_coupon[code]Γ’β¬β’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This can potentially be exploited by lower-privileged users if the `Admin Dashboard Access Permission` setting it set for those users to access the dashboard.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43461 βΌ
π Read
via "National Vulnerability Database".
Stored Cross-Site Scripting (XSS) vulnerability in John West Slideshow SE plugin <= 2.5.5 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45817 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Scripting (XSS) vulnerability in Erin Garscadden GC Testimonials plugin <= 1.3.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45814 βΌ
π Read
via "National Vulnerability Database".
Stored Cross-Site Scripting (XSS) vulnerability in Fabian von Allmen WP Calendar plugin <= 1.5.3 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-23622 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or not. As a result, any users can technically poll a sensitive tag to determine if a new topic is created in a category which the user does not have excess to. In version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, the count of topics displayed for a tag defaults to only counting regular topics which are not in read restricted categories. Staff users will continue to see a count of all topics regardless of the topic's category read restrictions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1471 βΌ
π Read
via "National Vulnerability Database".
The WP Popup Banners plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with minimal permissions, such as a subscrber, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1475 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in SourceCodester Canteen Management System 1.0. This issue affects the function query of the file createuser.php. The manipulation of the argument uemail leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223337 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
π΄ Technology Firms Delivering Much-Sought Encryption-in-Use π΄
π Read
via "Dark Reading".
If the approaches stand up to scrutiny, companies may soon be able to encrypt most databases in a way that allows using data without needing to decrypt to plaintext.π Read
via "Dark Reading".
Dark Reading
Technology Firms Delivering Much-Sought Encryption-in-Use
If the approaches stand up to scrutiny, companies may soon be able to encrypt most databases in a way that allows using data without the need to decrypt to plaintext.
π₯1
β S3 Ep 126: The price of fast fashion (and feature creep) [Audio + Text] β
π Read
via "Naked Security".
Worried about rogue apps? Unsure about the new Outlook zero-day? Clear advice in plain English... just like old times, with Duck and Chet!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π₯1
β Dangerous Android phone 0-day bugs revealed β patch or work around them now! β
π Read
via "Naked Security".
Despite its usually inflexible 0-day disclosure policy, Google is keeping four mobile modem bugs semi-secret due to likely ease of exploitation.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2023-25172 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches, a maliciously crafted URL can be included in a user's full name field to to carry out cross-site scripting attacks on sites with a disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. The vulnerability is patched in version 3.0.1 of the `stable` branch and version 3.1.0.beta2 of the `beta` and `tests-passed` branches. As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28107 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a site using multisite, then it can affect the whole cluster. The vulnerability is patched in version 3.0.2 of the `stable` branch and version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46867 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Chasil Universal Star Rating plugin <= 2.1.0 version.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46854 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Obox Themes Launchpad Γ’β¬β Coming Soon & Maintenance Mode plugin <= 1.0.13 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0027 βΌ
π Read
via "National Vulnerability Database".
Rockwell Automation Modbus TCP Server AOI prior to 2.04.00 is vulnerable to an unauthorized user sending a malformed message that could cause the controller to respond with a copy of the most recent response to the last valid request. If exploited, an unauthorized user could read the connected deviceΓ’β¬β’s Modbus TCP Server AOI information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28111 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the `beta` and `tests-passed` branches, attackers are able to bypass Discourse's server-side request forgery (SSRF) protection for private IPv4 addresses by using a IPv4-mapped IPv6 address. The issue is patched in the latest beta and tests-passed version of Discourse. version 3.1.0.beta3 of the `beta` and `tests-passed` branches. There are no known workarounds.π Read
via "National Vulnerability Database".
π΄ Microsoft Outlook Vulnerability Could Be 2023βs 'It' Bug π΄
π Read
via "Dark Reading".
Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.π Read
via "Dark Reading".
Dark Reading
Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug
Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means that almost any business user could be a victim.
π΄ Prancer Announces Integration With ChatGPT for Enhanced Security Assessments π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
Prancer Announces Integration With ChatGPT for Enhanced Security Assessments
SAN DIEGO, Calif., March 17, 2023 /PRNewswire-PRWeb/ -- We are thrilled to announce that Prancer, a leading cloud security solution provider, has integrated its SOC2 Type II certified cloud security solution with ChatGPT, a highly advanced language modelβ¦