Read Time:7 Second
Directory Traversal vulnerability in Server functionalty in Even Balance Punkbuster version 1.902 before 1.905 allows remote attackers to execute arbitrary code.
Daily Archives: August 16, 2023
LockBit’s dirty little secret: ransomware gang is failing to publish victims’ data
Read Time:14 Second
The LockBit ransomware gang may be having more than a few headaches right now.
According to a researcher who spent a year undercover gathering intelligence on the LockBit group, the ransomware gang is trying to cover up “the fact it often cannot consistently publish stolen data.”
USN-6293-1: OpenStack Heat vulnerability
Read Time:8 Second
It was discovered that OpenStack Heat incorrectly handled certain hidden
parameter values. A remote authenticated user could possibly use this issue
to obtain sensitive data.
CVE-2023-1977
Read Time:14 Second
The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it’s admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network.
CVE-2023-1465
Read Time:12 Second
The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin
CVE-2023-1110
Read Time:15 Second
The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2023-0579
Read Time:12 Second
The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks.
CVE-2023-0551
Read Time:11 Second
The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments
CVE-2023-0274
Read Time:15 Second
The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2023-0058
Read Time:14 Second
The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack