βΌ CVE-2023-0764 βΌ
π Read
via "National Vulnerability Database".
The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The attacker must have at least the privileges of the Author role.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1473 βΌ
π Read
via "National Vulnerability Database".
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin 3.29.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1427 βΌ
π Read
via "National Vulnerability Database".
- The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1282 βΌ
π Read
via "National Vulnerability Database".
The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.π Read
via "National Vulnerability Database".
βΌ CVE-2022-44726 βΌ
π Read
via "National Vulnerability Database".
The TouchDown Timesheet tracking component 4.1.4 for Jira allows XSS in the calendar view.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1274 βΌ
π Read
via "National Vulnerability Database".
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1413 βΌ
π Read
via "National Vulnerability Database".
The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1723 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veragroup Mobile Assistant allows SQL Injection.This issue affects Mobile Assistant: before 21.S.2343.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1371 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access themπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0889 βΌ
π Read
via "National Vulnerability Database".
Themeflection Numbers WordPress plugin before 2.0.1 does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administratorπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1325 βΌ
π Read
via "National Vulnerability Database".
The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1373 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0367 βΌ
π Read
via "National Vulnerability Database".
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-27733 βΌ
π Read
via "National Vulnerability Database".
DedeCMS v5.7.106 was discovered to contain a SQL injection vulnerability via the component /dede/sys_sql_query.php.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0374 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
π΄ Name That Toon: Lucky Charm π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: Lucky Charm
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
βΌ CVE-2023-29665 βΌ
π Read
via "National Vulnerability Database".
D-Link DIR823G_V1.0.2B05 was discovered to contain a stack overflow via the NewPassword parameters in SetPasswdSettings.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25504 βΌ
π Read
via "National Vulnerability Database".
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability existsΓ in Apache Superset versions up to and including 2.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27525 βΌ
π Read
via "National Vulnerability Database".
An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1π Read
via "National Vulnerability Database".
π΄ Aloha PoS Restaurant Software Downed by Ransomware Attack π΄
π Read
via "Dark Reading".
Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.π Read
via "Dark Reading".
Dark Reading
Aloha PoS Restaurant Software Downed by Ransomware Attack
Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.
π΄ How CISOs Can Craft Better Narratives for the Board π΄
π Read
via "Dark Reading".
Communicating cyber-risk upward to C-suite and board takes simplification and better understanding of the audience.π Read
via "Dark Reading".
Dark Reading
How CISOs Can Craft Better Narratives for the Board
Communicating cyber-risk upward to the C-suite and board takes simplification and a better understanding of the audience.