βΌ CVE-2023-23718 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Esstat17 Page Loading Effects plugin <= 2.0.0 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28424 βΌ
π Read
via "National Vulnerability Database".
Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection via the `q` parameter. As a result, unauthenticated attackers can execute arbitrary SQL queries on `https://packages.gentoo.org/`. It was also demonstrated that primitive was enough to gain code execution in the context of the PostgreSQL container. The issue was addressed in commit `4fa6e4b619c0362728955b6ec56eab0e0cbf1e23y` of version 1.0.2 using prepared statements to interpolate user-controlled data in SQL queries.π Read
via "National Vulnerability Database".
β€1
βΌ CVE-2022-47592 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in Dmytriy.Cooperman MagicForm plugin <= 0.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22679 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Nicolas Lemoine WP Better Emails plugin <= 0.4 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22678 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Rafael Dery Superior FAQ plugin <= 1.0.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22682 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in Manuel Masia | Pixedelic.Com Camera slideshow plugin <= 1.4.0.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47591 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in Mickael Austoni Map Multi Marker plugin <= 3.2.1 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22680 βΌ
π Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Altanic No API Amazon Affiliate plugin <= 4.2.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26513 βΌ
π Read
via "National Vulnerability Database".
Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.π Read
via "National Vulnerability Database".
βοΈ Why You Should Opt Out of Sharing Data With Your Mobile Provider βοΈ
π Read
via "Krebs on Security".
A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device -- unless and until you affirmatively opt out of this data collection. Here's a primer on why you might want to do that, and how. Certain questions might be coming to mind right now, like "What the heck is CPNI?" And, 'If it's so 'customer proprietary,' why is AT&T sharing it with marketers?" Also maybe, "What can I do about it?" Read on for answers to all three questions.π Read
via "Krebs on Security".
Krebs on Security
Why You Should Opt Out of Sharing Data With Your Mobile Provider
A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device --β¦
β€1π1
β Dangerous Android phone 0-day bugs revealed β patch or work around them now! β
π Read
via "Naked Security".
Despite its usually inflexible 0-day disclosure policy, Google is keeping four mobile modem bugs semi-secret due to likely ease of exploitation.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2023-28429 βΌ
π Read
via "National Vulnerability Database".
Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28428 βΌ
π Read
via "National Vulnerability Database".
PDFio is a C library for reading and writing PDF files. In versions 1.1.0 and prior, a denial of service vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and never terminate. This is different from CVE-2023-24808. A patch for this issue is available in version 1.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1515 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28426 βΌ
π Read
via "National Vulnerability Database".
savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now be sanitised using HTMLPurifier. The maintainers have also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they're not legal within the SVG context. There are no known workarounds.π Read
via "National Vulnerability Database".
π΄ Cyberattackers Hoop NBA Fan Data via Third-Party Vendor π΄
π Read
via "Dark Reading".
The basketball playoffs are around the corner and convincing social-engineering attacks on fans using NBA-themed lures could be too.π Read
via "Dark Reading".
Dark Reading
Cyberattackers Hoop NBA Fan Data via Third-Party Vendor
The basketball playoffs are around the corner and convincing social-engineering attacks on fans using NBA-themed lures could be too.
β Bitcoin ATM customers hacked by video upload that was actually an app β
π Read
via "Naked Security".
As the misquote goes, "Once is misfortune..." This is the second time, and you know what Lady Bracknell had to say about that...π Read
via "Naked Security".
Naked Security
Bitcoin ATM customers hacked by video upload that was actually an app
As the misquote goes, βOnce is misfortuneβ¦β This is the second time, and you know what Lady Bracknell had to say about thatβ¦
π€1
π΄ Cops Nab BreachForums Boss in New York π΄
π Read
via "Dark Reading".
The alleged mastermind of hacker forum Breach Forums, "pompompurin," has been arrested in New York City, according to court documents.π Read
via "Dark Reading".
Dark Reading
Cops Nab BreachForums Boss in New York
The alleged mastermind of hacker forum BreachForums, "pompompurin," has been arrested in New York City, according to court documents.
βΌ CVE-2023-0876 βΌ
π Read
via "National Vulnerability Database".
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27586 βΌ
π Read
via "National Vulnerability Database".
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default.π Read
via "National Vulnerability Database".