β Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store β
π Read
via "Naked Security".
Microsoft says "successful exploitation requires uncommon user interaction", but it's the innocent and accidental leakage of private data you should be concerned about.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Drive to Pervasive Encryption Boosts Key Management π΄
π Read
via "Dark Reading".
Key vaults, aka key management as a service (KMaaS), promise to allow companies to encrypt sensitive data across cloud and third parties with granular control.π Read
via "Dark Reading".
Dark Reading
Drive to Pervasive Encryption Boosts Key Management
Key vaults, aka key-management-as-a-service (KMaaS), promise to allow companies to encrypt sensitive data across cloud and third parties with granular control.
π΄ 7 Women Leading the Charge in Cybersecurity Research & Analysis π΄
π Read
via "Dark Reading".
From rising stars to veterans heading up research teams, check out our profiles of women making a big impact in cyber defense as the threat landscape expands.π Read
via "Dark Reading".
Dark Reading
7 Women Leading the Charge in Cybersecurity Research & Analysis
From rising stars to veterans heading up research teams, check out our profiles of women making a big impact in cyber defense as the threat landscape expands.
βΌ CVE-2023-0589 βΌ
π Read
via "National Vulnerability Database".
The WP Image Carousel WordPress plugin through 1.0.2 does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0498 βΌ
π Read
via "National Vulnerability Database".
The WP Education WordPress plugin before 1.2.7 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0660 βΌ
π Read
via "National Vulnerability Database".
The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0441 βΌ
π Read
via "National Vulnerability Database".
The Gallery Blocks with Lightbox WordPress plugin before 3.0.8 has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user role.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0336 βΌ
π Read
via "National Vulnerability Database".
The OoohBoi Steroids for Elementor WordPress plugin through 2.1.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0495 βΌ
π Read
via "National Vulnerability Database".
The HT Slider For Elementor WordPress plugin before 1.4.0 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0955 βΌ
π Read
via "National Vulnerability Database".
The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27245 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in File Management Project 1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Edit User module.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1093 βΌ
π Read
via "National Vulnerability Database".
The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0816 βΌ
π Read
via "National Vulnerability Database".
The Formidable Forms WordPress plugin before 6.1 uses several potentially untrusted headers to determine the IP address of the client, leading to IP Address spoofing and bypass of anti-spam protections.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1400 βΌ
π Read
via "National Vulnerability Database".
The Modern Events Calendar Lite WordPress plugin through 5.16.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-48426 βΌ
π Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2022.10.3 stored XSS in Perforce connection settings was possibleπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1399 βΌ
π Read
via "National Vulnerability Database".
N6854A Geolocation Server versions 2.4.2 are vulnerable to untrusted data deserialization, which may allow a malicious actor to escalate privileges in the affected deviceΓ’β¬β’s default configuration and achieve remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0497 βΌ
π Read
via "National Vulnerability Database".
The HT Portfolio WordPress plugin before 1.1.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0823 βΌ
π Read
via "National Vulnerability Database".
The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.4.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0502 βΌ
π Read
via "National Vulnerability Database".
The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2023-25828 βΌ
π Read
via "National Vulnerability Database".
Pluck CMS is vulnerable to an authenticated remote code execution (RCE) vulnerability through its Γ’β¬ΕalbumsΓ’β¬οΏ½ module. Albums are used to create collections of images that can be inserted into web pages across the site. Albums allow the upload of various filetypes, which undergo a normalization process before being available on the site. Due to lack of file extension validation, it is possible to upload a crafted JPEG payload containing an embedded PHP web-shell. An attacker may navigate to it directly to achieve RCE on the underlying web server. Administrator credentials for the Pluck CMS web interface are required to access the albums module feature, and are thus required to exploit this vulnerability. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C (8.2 High)π Read
via "National Vulnerability Database".
βΌ CVE-2023-1654 βΌ
π Read
via "National Vulnerability Database".
Denial of Service in GitHub repository gpac/gpac prior to 2.4.0.π Read
via "National Vulnerability Database".