βΌ CVE-2023-1371 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access themπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0889 βΌ
π Read
via "National Vulnerability Database".
Themeflection Numbers WordPress plugin before 2.0.1 does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administratorπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1325 βΌ
π Read
via "National Vulnerability Database".
The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-1373 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0367 βΌ
π Read
via "National Vulnerability Database".
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-27733 βΌ
π Read
via "National Vulnerability Database".
DedeCMS v5.7.106 was discovered to contain a SQL injection vulnerability via the component /dede/sys_sql_query.php.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0374 βΌ
π Read
via "National Vulnerability Database".
The W4 Post List WordPress plugin before 2.4.6 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
π΄ Name That Toon: Lucky Charm π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: Lucky Charm
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
βΌ CVE-2023-29665 βΌ
π Read
via "National Vulnerability Database".
D-Link DIR823G_V1.0.2B05 was discovered to contain a stack overflow via the NewPassword parameters in SetPasswdSettings.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25504 βΌ
π Read
via "National Vulnerability Database".
A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability existsΓ in Apache Superset versions up to and including 2.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27525 βΌ
π Read
via "National Vulnerability Database".
An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1π Read
via "National Vulnerability Database".
π΄ Aloha PoS Restaurant Software Downed by Ransomware Attack π΄
π Read
via "Dark Reading".
Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.π Read
via "Dark Reading".
Dark Reading
Aloha PoS Restaurant Software Downed by Ransomware Attack
Thousands of restaurants impacted by what Aloha PoS parent company NCR says was a ransomware attack on one of its data centers.
π΄ How CISOs Can Craft Better Narratives for the Board π΄
π Read
via "Dark Reading".
Communicating cyber-risk upward to C-suite and board takes simplification and better understanding of the audience.π Read
via "Dark Reading".
Dark Reading
How CISOs Can Craft Better Narratives for the Board
Communicating cyber-risk upward to the C-suite and board takes simplification and a better understanding of the audience.
π΄ Pentesters Need to Hack AI, but Also Question its Existence π΄
π Read
via "Dark Reading".
Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.π Read
via "Dark Reading".
Dark Reading
Pen Testers Need to Hack AI, but Also Question Its Existence
Learning how to break the latest AI models is important, but security researchers should also question whether there are enough guardrails to prevent the technology's misuse.
βΌ CVE-2023-29004 βΌ
π Read
via "National Vulnerability Database".
hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. Successful exploitation of this vulnerability could allow an attacker with user level privileges to obtain the content of arbitrary files on the file server within the scope of what the server process has access to. The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2015-10103 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in InternalError503 Forget It up to 1.3. This affects an unknown part of the file js/settings.js. The manipulation of the argument setForgetTime with the input 0 leads to infinite loop. It is possible to launch the attack on the local host. Upgrading to version 1.4 is able to address this issue. The name of the patch is adf0c7fd59b9c935b4fd675c556265620124999c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226119.π Read
via "National Vulnerability Database".
βΌ CVE-2015-10102 βΌ
π Read
via "National Vulnerability Database".
A vulnerability, which was classified as critical, has been found in Freshdesk Plugin 1.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to open redirect. The attack may be launched remotely. Upgrading to version 1.8 is able to address this issue. The name of the patch is 2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b. It is recommended to upgrade the affected component. VDB-226118 is the identifier assigned to this vulnerability.π Read
via "National Vulnerability Database".
π΄ NSA's National Centers for Academic Excellent (NCAE) Cyber Games to Hold National Finals on April 22 π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
NSA's National Centers for Academic Excellent (NCAE) Cyber Games to Hold National Finals on April 22
Cyber Florida at the University of South Florida - Tampa will host the national championship round of the NCAE Cyber Games on April 22 on the University of South Florida-Tampa campus. The event will be live-streamed via Twitch at https://www.twitch.tv/ncβ¦
π΄ lockr Raises $2.5M π΄
π Read
via "Dark Reading".
lockr preserves open access to information across the Internet while honoring consumer privacy and choice.π Read
via "Dark Reading".
Dark Reading
lockr Raises $2.5M
lockr preserves open access to information across the Internet while honoring consumer privacy and choice.
π΄ Google Issues Emergency Chrome Update for Zero-Day Bug π΄
π Read
via "Dark Reading".
Because the security vulnerability is under active exploit, Google isn't releasing full details of the flaw while users could remain vulnerable.π Read
via "Dark Reading".
Dark Reading
Google Issues Emergency Chrome Update for Zero-Day Bug
Because the security vulnerability is under active exploit, Google isn't releasing full details of the flaw while users could remain vulnerable.
π΄ FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware π΄
π Read
via "Dark Reading".
Members of the former ransomware group are using a FIN7 backdoor to deliver malware βincluding Cobalt Strike β to victim systems.π Read
via "Dark Reading".
Dark Reading
FIN7, Former Conti Gang Members Collaborate on 'Domino' Malware
Members of the former ransomware group are using a FIN7 backdoor to deliver malware βincluding Cobalt Strike β to victim systems.