Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through...
4.3CVSS
5.1AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through...
4.3CVSS
7.3AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through...
4.3CVSS
7AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks. Integration for Contact Form 7 and Constant Contact.This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through...
4.3CVSS
5.1AI Score
0.0004EPSS
Technology was once simply a tool--and a small one at that--used to amplify human intent and capacity. That was the story of the industrial revolution: we could control nature and build large, complex human societies, and the more we employed and mastered technology, the better things got. We...
6.9AI Score
Progress Telerik Report Server - Authentication Bypass
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass...
9.9CVSS
9.7AI Score
0.938EPSS
IT threat evolution Q1 2024 IT threat evolution Q1 2024. Mobile statistics IT threat evolution Q1 2024. Non-mobile statistics Targeted attacks Operation Triangulation: the final mystery Last June, we published a series of reports on Operation Triangulation, a previously unknown iOS malware...
7.8CVSS
6AI Score
0.003EPSS
AIX is vulnerable to information disclosure due to openCryptoki (CVE-2024-0914)
IBM SECURITY ADVISORY First Issued: Mon Jun 3 08:50:37 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/opencryptoki_advisory.asc Security Bulletin: AIX is vulnerable to information disclosure due to openCryptoki...
5.9CVSS
5.8AI Score
0.001EPSS
typo3/cms-core is vulnerable to Remote Code Execution. The vulnerability is due to the ability to obfuscate Phar files as image or text files, which can then be uploaded and invoked via manipulated URLs in TYPO3 backend forms, which allows an attacker to execute arbitrary...
8.1AI Score
A week in security (May 27 – June 2)
Last week on Malwarebytes Labs: Data leak site BreachForums is back, boasting Live Nation/Ticketmaster user data. But is it a trap? The Ticketmaster "breach"—what you need to know Ticketmaster confirms customer data breach How to tell if a VPN app added your Windows device to a botnet Beware of...
6.8AI Score
typo3/cms-core is vulnerable to Cross-Site Scripting (XSS). The vulnerability is due to a failure to properly encode user input in frontend forms handled by the form framework, allowing malicious users to inject and execute arbitrary JavaScript code in the context of other users'...
6.7AI Score
The Active Admin (aka activeadmin) framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities (to be later edited in forms) with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed...
5.7AI Score
EPSS
The Active Admin (aka activeadmin) framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities (to be later edited in forms) with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed...
6.1AI Score
EPSS
The Active Admin (aka activeadmin) framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities (to be later edited in forms) with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed...
5.7AI Score
EPSS
Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware
Fake web browser updates are being used to deliver remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer (aka LummaC2). "Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"...
K000139877: Linux kernel vulnerabilities CVE-2021-47076 and CVE-2021-47080
Security Advisory Description CVE-2021-47076 In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Return CQE error if invalid lkey was supplied RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic...
5.6AI Score
0.0004EPSS
K000139880: Intel CPU/BIOS vulnerabilities CVE-2023-28402, CVE-2023-27504, and CVE-2023-28383
Security Advisory Description CVE-2023-28402 Improper input validation in some Intel(R) BIOS Guard firmware may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2023-27504 Improper conditions check in some Intel(R) BIOS Guard firmware may allow a...
7.2CVSS
6.5AI Score
0.0004EPSS
RHEL 4 : evolution (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 4 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. DoS from large email (CVE-2006-0040) evolution: mailto URL scheme attachment header improper input...
7.1AI Score
0.018EPSS
K000139876: Linux kernel vulnerability CVE-2021-46955
Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets:...
5.9AI Score
0.0004EPSS
RHEL 5 : quagga (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. quagga: VPNv4 NLRI parser memcpys to stack on unchecked length (CVE-2016-2342) quagga: Double free...
6.5CVSS
7.8AI Score
0.268EPSS
RHEL 7 : irssi (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. irssi: heap buffer overflow due to calculation error in the completion code (CVE-2018-5208) The buf.pl...
9.8CVSS
7.2AI Score
0.011EPSS
RHEL 6 : evolution (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. evolution: specially crafted email leading to OpenPGP signatures being spoofed for arbitrary messages ...
6.5CVSS
6.6AI Score
0.003EPSS
RHEL 6 : quagga (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to ...
6.5CVSS
8.5AI Score
0.122EPSS
RHEL 7 : perl-email-address (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. perl-Email-Address: denial of service when parsing crafted email address list (CVE-2015-7686) ...
7.5CVSS
8.2AI Score
0.039EPSS
RHEL 5 : evolution (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. evolution: incorrect selection of recipient gpg public key for encrypted mail (CVE-2013-4166) GNOME...
7.5CVSS
8AI Score
0.005EPSS
RHEL 8 : evolution (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. evolution: attaching local filed/directories to composed email can lead to unintended information disclosure...
6.5CVSS
6.4AI Score
0.001EPSS
RHEL 7 : evolution (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. evolution: attaching local filed/directories to composed email can lead to unintended information disclosure...
6.5CVSS
6.5AI Score
0.001EPSS
RHEL 6 : irssi (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. irssi: heap buffer overflow due to calculation error in the completion code (CVE-2018-5208) The buf.pl...
9.8CVSS
7.2AI Score
0.011EPSS
6.4AI Score
0.0004EPSS
RHEL 6 : rabbitmq-server (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. rabbitmq: MQTT connection authentication succeeds with empty password (CVE-2016-9877) An issue was...
7.8CVSS
6.9AI Score
0.003EPSS
RHEL 6 : django (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. python-django: DNS rebinding vulnerability when 'DEBUG=True' (CVE-2016-9014) Django before 1.4.21, 1.5.x...
8.1CVSS
7.7AI Score
0.017EPSS
Password confirmation stored in plain text via registration form in statamic/cms
Users registering via the user:register_form tag will have their password confirmation stored in plain text in their user file. Impact This only affects sites matching all of the following conditions: - Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one...
1.8CVSS
6.2AI Score
0.0004EPSS
Password confirmation stored in plain text via registration form in statamic/cms
Users registering via the user:register_form tag will have their password confirmation stored in plain text in their user file. Impact This only affects sites matching all of the following conditions: - Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one...
1.8CVSS
6.2AI Score
0.0004EPSS
Improper Handling of Insufficient Permissions in `wagtail.contrib.settings`
Impact Due to an improperly applied permission check in the wagtail.contrib.settings module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model....
5.5CVSS
6.3AI Score
0.0004EPSS
Improper Handling of Insufficient Permissions in `wagtail.contrib.settings`
Impact Due to an improperly applied permission check in the wagtail.contrib.settings module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model....
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0...
7.1AI Score
0.0004EPSS
EvilSlackbot - A Slack Bot Phishing Framework For Red Teaming Exercises
EvilSlackbot A Slack Attack Framework for conducting Red Team and phishing exercises within Slack workspaces. Disclaimer This tool is intended for Security Professionals only. Do not use this tool against any Slack workspace without explicit permission to test. Use at your own risk. Background...
7AI Score
4.9CVSS
6.7AI Score
0.013EPSS
7.4AI Score
6.7AI Score
0.0004EPSS
7.6CVSS
6.7AI Score
0.0004EPSS
Ticketmaster confirms customer data breach
Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach. In a filing with the SEC, Live Nation said on May 20th it identified "unauthorized activity within a third-party cloud database environment containing Company...
7.4AI Score
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied.....
6.4CVSS
6AI Score
0.0004EPSS
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied.....
6.4CVSS
5.9AI Score
0.0004EPSS
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied.....
6.4CVSS
5.9AI Score
0.0004EPSS
7.4AI Score
Moodle CSRF risk in analytics management of models
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF...
6.4AI Score
0.0004EPSS
Moodle CSRF risk in analytics management of models
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF...
6.4AI Score
0.0004EPSS
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF...
6.7AI Score
0.0004EPSS
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF...
6.4AI Score
0.0004EPSS