Correspondence from Shopify declined to comment regarding new discovered
vulnerabilities within their website.
Although ‘frontend’ vulnerabilities are considered out of scope,
person/tester foundhimself a beefy bugbounty from the same page that has
been listed below, including similar functionality that has not been tested
yet.
Two emails and several reports, the ‘hacker-1’ staff reject the bid for
findings.
A vulnerability was found in dd32 Debug Bar Plugin up to 0.8. It has been declared as problematic. Affected by this vulnerability is the function render of the file panels/class-debug-bar-queries.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.8.1 is able to address this issue. The name of the patch is 0842af8f8a556bc3e39b9ef758173b0a8a9ccbfc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222739.
A vulnerability in the upgrade signature verification of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, local attacker to provide an unauthentic upgrade file for upload. This vulnerability is due to insufficient cryptographic signature verification of upgrade files. An attacker could exploit this vulnerability by providing an administrator with an unauthentic upgrade file. A successful exploit could allow the attacker to fully compromise the Cisco NFVIS system.
HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability. By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim’s web browser to perform operations as the victim and/or steal the victim’s cookies, session tokens, or other sensitive information.
IBM Financial Transaction Manager 3.2.0 through 3.2.10 could allow an authenticated user to perform unauthorized actions due to improper validation. IBM X-Force ID: 192954.
Many things challenge how we practice cybersecurity these days. Digital transformation has brought significant adoption of new technology and business models, including cloud solutions, e-commerce platforms, smart devices, and a significantly more distributed workforce. These, in turn, have brought with them an increase in new threats, risks, and cybercrime.
As organizations emerge post-pandemic, many of the risks and uncertainties manifested during that period will persist, including the hybrid workforce, supply chain risk, and other cybersecurity challenges.
Let’s look at some of these cybersecurity challenges and how automation can level the playing field.
A novel Linux version of the IceFire ransomware that exploits a vulnerability in IBM’s Aspera Faspex file-sharing software has been identified by SentinelLabs, a research division of cybersecurity company Sentinel One.
The exploit is for CVE-2022-47986, a recently patched Aspera Faspex vulnerability.
Known up to now to target only Windows systems, the IceFire malware detected by SentinelLabs uses an iFire extension, consistent with a February report from MalwareHunterTeam — a group of independent cybersecurity researchers analyzing and tracking threats — that IceFire is shifting focus to Linux enterprise systems.