Understanding the OWASP API Security Top 10: Why BOLA is the Number One Risk for APIs
Understanding and addressing vulnerabilities is critical in cybersecurity, where APIs serve as the backbone for seamless data exchange. The OWASP API Security Top 10, revised in 2023, provides a comprehensive guide to the critical issues that organizations must tackle to ensure the robust security....
8AI Score
PixPirate Android Banking Trojan Using New Evasion Tactic to Target Brazilian Users
The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil. The approach allows it to hide the malicious app's icon from the home screen of the victim's device, IBM said...
7.4AI Score
Threat actors leverage document publishing sites for ongoing credential and session token theft
Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft during recent incident response and threat intelligence engagements. Hosting phishing lures on DDP sites increases the.....
6.9AI Score
Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub
A new phishing campaign has been observed delivering remote access trojans (RAT) such as VCURMS and STRRAT by means of a malicious Java-based downloader. "The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection.....
7.1AI Score
The State of Stalkerware in 2023–2024
The State of Stalkerware in 2023 (PDF) The annual Kaspersky State of Stalkerware report aims to contribute to awareness and a better understanding of how people around the world are impacted by digital stalking. Stalkerware is commercially available software that can be discreetly installed on...
6.8AI Score
FreeBSD : Intel CPUs -- multiple vulnerabilities (b6dd9d93-e09b-11ee-92fc-1c697a616631)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b6dd9d93-e09b-11ee-92fc-1c697a616631 advisory. Intel reports: 2024.1 IPU - Intel Processor Bus Lock Advisory A potential security...
6.5CVSS
6.9AI Score
0.001EPSS
Description The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up.....
5.3CVSS
6.9AI Score
0.0004EPSS
Top MITRE ATT&CK Tactics and Techniques Leveraged in 2023
The Qualys Threat Research Unit has mapped vulnerabilities and misconfigurations to the MITRE ATT&CK framework tactics and techniques to help you get the attacker’s view. They have also analyzed vulnerabilities and misconfigurations across all our customers to find the top tactics and techniques...
9.8AI Score
The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to...
4.3CVSS
4.4AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to...
4.3CVSS
5.3AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export...
4.3CVSS
5.2AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export...
4.3CVSS
4.3AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export...
4.3CVSS
6.8AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to...
4.3CVSS
6.9AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export...
4.3CVSS
4.6AI Score
0.0004EPSS
The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to...
4.3CVSS
4.7AI Score
0.0004EPSS
Incognito Darknet Market Mass-Extorts Buyers, Sellers
Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass...
6.7AI Score
Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication
Description The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or...
4.3CVSS
6.6AI Score
0.0004EPSS
Mollie Forms < 2.6.4 - Missing Authorization
Description The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to....
4.3CVSS
6.5AI Score
0.0004EPSS
FreeBSD : Unbound -- Denial-of-Service vulnerability (c2ad8700-de25-11ee-9190-84a93843eb75)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c2ad8700-de25-11ee-9190-84a93843eb75 advisory. NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that...
7.5CVSS
7.1AI Score
0.0004EPSS
Nomore403 - Tool To Bypass 403/40X Response Codes
nomore403 is an innovative tool designed to help cybersecurity professionals and enthusiasts bypass HTTP 40X errors encountered during web security assessments. Unlike other solutions, nomore403 automates various techniques to seamlessly navigate past these access restrictions, offering a broad...
7.4AI Score
Fedora: Security Advisory for jgoodies-forms (FEDORA-2024-129d8ca6fc)
The remote host is missing an update for...
7AI Score
0.0004EPSS
FreeBSD : Gitlab -- Vulnerabilities (b2caae55-dc38-11ee-96dc-001b217b3468)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b2caae55-dc38-11ee-96dc-001b217b3468 advisory. An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior...
7.7CVSS
7.3AI Score
0.0004EPSS
FreeBSD : electron{27,28} -- vulnerability in libxml2 (e74da31b-276a-4a22-9772-17dd42b97559)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the e74da31b-276a-4a22-9772-17dd42b97559 advisory. An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML...
7.5CVSS
6.9AI Score
0.0005EPSS
EventPrime – Events Calendar, Bookings and Tickets < 3.4.3 - Unauthenticated Booking Payment Bypass
Description The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for...
5.3CVSS
6.8AI Score
0.0004EPSS
[SECURITY] Fedora 40 Update: jgoodies-forms-1.9.0-11.fc40
The JGoodies Forms framework helps you lay out and implement elegant Swing panels quickly and consistently. It makes simple things easy and the hard stu ff possible, the good design easy and the bad...
9.1AI Score
0.0004EPSS
It's that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout for a whole manner of tax-related scams. These are something that pop up every year through email, texts, phone calls and even physical mail -- phony...
7AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 26, 2024 to March 3, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 121 vulnerabilities disclosed in 88...
9.8CVSS
9.6AI Score
0.001EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including,....
8.2CVSS
8.6AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including,....
8.2CVSS
8.1AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and....
7.5CVSS
7.8AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and....
7.5CVSS
7.4AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including,....
8.2CVSS
7.1AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and....
7.5CVSS
7AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and....
7.5CVSS
7.5AI Score
0.0004EPSS
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including,....
8.2CVSS
8.2AI Score
0.0004EPSS
The year in figures 45.60% of all email sent worldwide and 46.59% of all email sent in the Runet (the Russian web segment) was spam 31.45% of all spam email was sent from Russia Kaspersky Mail Anti-Virus blocked 135,980,457 malicious email attachments Our Anti-Phishing system thwarted 709,590,011.....
7.8CVSS
7.3AI Score
0.974EPSS
The version of Golang running on the remote host is prior to 1.33.0. It is, therefore, is affected by a Denial of Service vulnerability. A maliciously crafted file could could cause the protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This...
7AI Score
0.0004EPSS
FreeBSD : chromium -- multiple security fixes (fd3401a1-b6df-4577-917a-2c22fee99d34)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the fd3401a1-b6df-4577-917a-2c22fee99d34 advisory. Out of bounds memory access in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote...
7.1AI Score
0.0004EPSS
Description The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and...
4.3CVSS
6.5AI Score
0.0004EPSS
FreeBSD : go -- multiple vulnerabilities (b1b039ec-dbfc-11ee-9165-901b0e9408dc)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b1b039ec-dbfc-11ee-9165-901b0e9408dc advisory. When following an HTTP redirect to a domain which is not a subdomain match or exact match of...
6.5AI Score
0.0004EPSS
Fluent Forms < 5.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web...
4.9CVSS
6AI Score
0.0004EPSS
Remote Code Execution by uploading a phar file using frontmatter
Summary Due to insufficient permission verification, user who can write a page use frontmatter feature. Inadequate File Name Validation Details Insufficient Permission Verification In Grav CMS, "Frontmatter" refers to the metadata block located at the top of a Markdown file. Frontmatter serves...
8.8CVSS
7.9AI Score
0.0004EPSS
Remote Code Execution by uploading a phar file using frontmatter
Summary Due to insufficient permission verification, user who can write a page use frontmatter feature. Inadequate File Name Validation Details Insufficient Permission Verification In Grav CMS, "Frontmatter" refers to the metadata block located at the top of a Markdown file. Frontmatter serves...
8.8CVSS
7.8AI Score
0.0004EPSS
ALPHV ransomware gang fakes own death, fools no one
For the second time in only four months, all is not well on the ALPHV (aka BlackCat) ransomware gang's dark web site. Gone are the lists of compromised victims. In their place, a veritable garden of law enforcement badges has sprouted beneath the ominous message "THIS WEBSITE HAS BEEN SEIZED." The....
7.6AI Score
Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout
The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner. "ALPHV/BlackCat did not get seized. They are exit scamming their affiliates," security researcher Fabian Wosar said. "It is...
7.3AI Score
A New Way To Manage Your Web Exposure: The Reflectiz Product Explained
An in-depth look into a proactive website security solution that continuously detects, prioritizes, and validates web threats, helping to mitigate security, privacy, and compliance risks. [Reflectiz shields websites from client-side attacks, supply chain risks, data breaches, privacy violations,...
6.9AI Score
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain...
7.5CVSS
6.8AI Score
0.023EPSS
In SilverStripe through 4.5, files uploaded via Forms to folders migrated from Silverstripe CMS 3.x may be put to the default "/Uploads" folder instead. This affects installations which allowed upload folder protection via the optional silverstripe/secureassets module under 3.x. This module is...
7.5CVSS
6.8AI Score
0.002EPSS
Jenkins SoapUI Pro Functional Testing Plugin 1.5 and earlier transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their...
4.3CVSS
6.8AI Score
0.001EPSS