$0.99 Kindle Books Security Vulnerabilities

Xeroneit Library Management System 3.0 SQL Injection

...

WP Lead Plus X <= 0.99 - Multiple Cross-Site Request Forgery (CSRF)

None of the functions in this plugin use nonce checks, so it is possible for an attacker to perform any action that the plugin is capable of by tricking an administrator into clicking a specially crafted link designed to perform that action. This includes capabilities such as adding new pages,...

WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)

WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page...

WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)

One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use "template" pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was...

WordPress WP Lead Plus X plugin <= 0.98 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by WordFence in WordPress WP Lead Plus X plugin (versions &lt;= 0.98). Solution Update the WordPress WP Lead Plus X plugin to the latest available version (at least...

WordPress WP Lead Plus X plugin <= 0.98 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by WordFence in WordPress WP Lead Plus X plugin (versions &lt;= 0.98). Solution Update the WordPress WP Lead Plus X plugin to the latest available version (at least...

WP Lead Plus X < 0.99 - Authenticated Stored Cross-Site Scripting (XSS)

WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and "squeeze" pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX action core37_lp_save_page...

WordPress WP Lead Plus X plugin <= 0.99 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability discovered by WordFence in WordPress WP Lead Plus X plugin (versions &lt;= 0.99). Solution Patched version not available according to...

WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)

One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use "template" pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was...

About the security content of iOS 13.2 and iPadOS 13.2 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. Apple security documents reference...

Seeing Book Shelves on Virtual Calls

I have a confession... for me, the best part of virtual calls, or seeing any reporter or commentator working for home, is being able to check out their book shelves. I never use computer video, because I want to preserve the world's bandwidth. That means I don't share what my book shelves look...

Skill Levels in Digital Security

Two posts in one day? These are certainly unusual times. I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the...

When You Should Blog and When You Should Tweet

I saw my like-minded, friend-that-I've-never-met Andrew Thompson Tweet a poll, posted above. I was about to reply with the following Tweet: "If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and...

Coronavirus Bitcoin scam promises “millions” working from home

In the last week, we’ve seen multiple coronavirus scams pushed by bad actors, including RAT attacks via fake health advisories, bogus e-books working in tandem with Trojans, and lots of other phishing shenanigans. Now we have another one to add to the ever-growing list: dubious coronavirus Bitcoin....

Welcoming and retaining diversity in cybersecurity

I doubt I’d be in the role I am now if leaders at one of my first jobs hadn’t taken an interest in my career. Although I taught myself to code when I was young, I graduated from college with a degree in English Literature and began my post-college career in editorial. I worked my way up to...

Coronavirus scams, found and explained

Coronavirus has changed the face of the world, restricting countless individuals from dining at restaurants, working from cafes, and visiting their loved ones. But for cybercriminals, this global pandemic is expanding their horizons. In the past week, Malwarebytes discovered multiple email scams...

March 10, 2020—KB4540681 (OS Build 16299.1747)

March 10, 2020—KB4540681 (OS Build 16299.1747) Reminder March 12 and April 9 were the last two Delta updates for Windows 10, version 1709. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please...

Announcing the VMware vExpert Security Program!

We’re excited to share that the VMware Security Products Team and Carbon Black is announcing a new Security vExperts program. If you’re not familiar with vExperts, the program is designed to recognize individuals who are passionate about sharing their knowledge of VMware technologies with the...

Technology and the power of moral panic

Moral panic is a fascinating topic, and often finds itself tied up in the cutting edge-technology of the times once it works its way into the hands of younger generations. Music, games, movies—pretty much anything you can think of is liable to gatecrash the “won’t somebody think of the children?”.....

Child identity theft, part 1: On familiar fraud

In 2013, 30-year-old Axton Betz-Hamilton received an angry phone call from her father two weeks after her mother, Pam, died. "What the hell were you thinking?" he screamed. He had just unearthed a credit card statement in her name that had run over its limit from a box of her mother’s paperwork. .....

Humble Bundle's 2020 Cybersecurity Books

For years, Humble Bundle has been selling great books at a "pay what you can afford" model. This month, they're featuring as many as nineteen cybersecurity books for as little as $1, including four of mine. These are digital copies, all DRM-free. Part of the money goes to support the EFF or Let's.....

Securing the Internet of Things through Class-Action Lawsuits

This law journal article discusses the role of class-action litigation to secure the Internet of Things. Basically, the article postulates that (1) market realities will produce insecure IoT devices, and (2) political failures will leave that industry unregulated. Result: insecure IoT. It proposes....

New Research Paper: Prevalence and impact of low-entropy packing schemes in the malware ecosystem

Detection of malware is a constant battle between the technologies designed to detect and prevent malware and the authors creating them. One common technique adversaries leverage is packing binaries. Packing an executable is similar to applying compression or encryption and can inhibit the ability....

Billions of Devices Open to Wi-Fi Eavesdropping Attacks

SAN FRANCISCO — A serious vulnerability in Wi-Fi chips has been discovered that affects billions of devices worldwide, according to researchers. It allows attackers to eavesdrop on Wi-Fi communications. The bug (CVE-2019-15126) stems from the use of an all-zero encryption key in chips made by...

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

Cybersecurity researchers today uncovered a new high-severity hardware vulnerability residing in the widely-used Wi-Fi chips manufactured by Broadcom and Cypress—apparently powering over a billion devices, including smartphones, tablets, laptops, routers, and IoT gadgets. Dubbed 'Kr00k' and...

Inrupt, Tim Berners-Lee's Solid, and Me

For decades, I have been talking about the importance of individual privacy. For almost as long, I have been using the metaphor of digital feudalism to describe how large companies have become central control points for our data. And for maybe half a decade, I have been talking about the...

Policy vs Technology

Sometime around 1993 or 1994, during the first Crypto Wars, I was part of a group of cryptography experts that went to Washington to advocate for strong encryption. Matt Blaze and Ron Rivest were with me; I don't remember who else. We met with then Massachusetts Representative Ed Markey. (He...

Scam Alert: You've Been Selected for 'Like of the Year 2020' Cash Prizes

Cybersecurity researchers have discovered a large-scale ongoing fraud scheme that lures unsuspecting Russian Internet users with promises of financial rewards to steal their payment card information. According to researchers at Group-IB, the multi-stage phishing attack exploited the credibility...

Hamas Ensnares Israeli Soldiers with Pretty 'Ladies'

Hamas has been caught taking a classic “catfish” approach, to tempt Israeli soldiers into installing spyware on their phones. Members posed as teen girls who are looking for quality chat time. This is the third time that the Palestinian group has used the tactic – but this time it upped its...

clamav - security update

Bulletin has no...

February 11, 2020—KB4537789 (OS Build 16299.1686)

February 11, 2020—KB4537789 (OS Build 16299.1686) Reminder March 12 and April 9 were the last two Delta updates for Windows 10, version 1709. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please...

Security in 2020: Revisited

Ten years ago, I wrote an essay: "Security in 2020." Well, it's finally 2020. I think I did pretty well. Here's what I said back then: There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against...

CVE-2020-3123

A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users.....

Attacking Driverless Cars with Projected Images

Interesting research -- "Phantom Attacks Against Advanced Driving Assistance Systems": Abstract: The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems (ADASs) and autopilots of semi/fully autonomous cars to validate their virtual...

DVNA - Damn Vulnerable NodeJS Application

Damn Vulnerable NodeJS Application (DVNA) is a simple NodeJS application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities. The fixes branch will contain fixes for the vulnerabilities. Fixes for vunerabilities OWASP Top 10 2017 vulnerabilities at...

Deepfakes laws and proposals flood US

In a rare example of legislative haste, roughly one dozen state and federal bills were introduced in the past 12 months to regulate deepfakes, the relatively modern technology that some fear could upend democracy. Though the federal proposals have yet to move forward, the state bills have found...

October 3, 2019—KB4524149 (OS Build 17134.1040)

October 3, 2019—KB4524149 (OS Build 17134.1040) IMPORTANT This is a required security update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent...

Huawei EulerOS: Security Advisory for libpng (EulerOS-SA-2019-1421)

The remote host is missing an update for the Huawei...

October 3, 2019—KB4524148 (OS Build 17763.775)

October 3, 2019—KB4524148 (OS Build 17763.775) IMPORTANT This is a required security update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent...

October 3, 2019—KB4524150 (OS Build 16299.1421)

October 3, 2019—KB4524150 (OS Build 16299.1421) IMPORTANT This is a required security update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent...

CVE-2019-15961

A vulnerability in the email parsing module Clam AntiVirus (ClamAV) Software versions 0.102.0, 0.101.4 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to inefficient MIME parsing routines that result...

Online Book Store 1.0 SQL Injection

...

Online Book Store 1.0 - &#039;bookisbn&#039; SQL Injection

...

Online Book Store 1.0 - bookisbn SQL Injection

Online Book Store 1.0 - bookisbn SQL...

Online Book Store 1.0 - (bookisbn) SQL Injection Vulnerability

Exploit for php platform in category web...

January 14, 2020—KB4534276 (OS Build 16299.1625)

January 14, 2020—KB4534276 (OS Build 16299.1625) Reminder March 12 and April 9 were the last two Delta updates for Windows 10, version 1709. Security and quality updates will continue to be available via the express and full cumulative update packages. For more information on this change please...

Alleged Member of Neo-Nazi Swatting Group Charged

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in "swatting" attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into...

Git-Vuln-Finder - Finding Potential Software Vulnerabilities From Git Commit Messages

Finding potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present,...

Magecart Hits Parents and Students via Blue Bear Attack

Blue Bear Software, an administration and e-commerce platform for K-12 schools and other educational institutions, is warning its customers that it has suffered a Magecart attack. Blue Bear’s platform enables management of school accounting, student fees and online stores. In a letter to those...

New Consumer Online Privacy Rights Act (COPRA) would empower American users

Despite the already dizzying number of comprehensive data privacy proposals before the US Senate—nearly 10 have been introduced since mid-2018—yet another bill has entered the conversation: the Consumer Online Privacy Rights Act. This time, the bill, called COPRA for short, is sponsored by a...