Description The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie....
9CVSS
7.3AI Score
0.0004EPSS
WooCommerce Dropshipping <= 5.0.4 - Missing Authorization to Unauthenticated Arbitrary Email Send
Description The WooCommerce Dropshipping Premium plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on a function in all versions up to, and including, 5.0.4. This makes it possible for unauthenticated attackers to send arbitrary...
5.3CVSS
6.8AI Score
0.0005EPSS
Amazon Linux 2 : thunderbird (ALAS-2024-2561)
The version of thunderbird installed on the remote host is prior to 115.11.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2561 advisory. A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the...
9.1AI Score
0.0004EPSS
Fedora: Security Advisory for php (FEDORA-2024-49aba7b305)
The remote host is missing an update for...
9.8CVSS
10AI Score
0.973EPSS
Missing Authorization vulnerability in Contact List PRO Contact List – Easy Business Directory, Staff Directory and Address Book Plugin.This issue affects Contact List – Easy Business Directory, Staff Directory and Address Book Plugin: from n/a through...
5.3CVSS
0.0004EPSS
Missing Authorization vulnerability in Contact List PRO Contact List – Easy Business Directory, Staff Directory and Address Book Plugin.This issue affects Contact List – Easy Business Directory, Staff Directory and Address Book Plugin: from n/a through...
5.3CVSS
5.3AI Score
0.0004EPSS
Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through...
8.6CVSS
0.0004EPSS
Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through...
8.6CVSS
8.6AI Score
0.0004EPSS
How Cynet Makes MSPs Rich & Their Clients Secure
Managed service providers (MSPs) are on the front lines of soaring demand for cybersecurity services as cyberattacks increase in volume and sophistication. Cynet has emerged as the security vendor of choice for MSPs to capitalize on existing relationships with SMB clients and profitably expand...
7.1AI Score
Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through...
8.6CVSS
0.0004EPSS
Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through...
8.6CVSS
7AI Score
0.0004EPSS
CVE-2024-34821 WordPress Contact List plugin <= 2.9.87 - Broken Access Control vulnerability
Missing Authorization vulnerability in Contact List PRO Contact List – Easy Business Directory, Staff Directory and Address Book Plugin.This issue affects Contact List – Easy Business Directory, Staff Directory and Address Book Plugin: from n/a through...
5.3CVSS
0.0004EPSS
CVE-2024-34821 WordPress Contact List plugin <= 2.9.87 - Broken Access Control vulnerability
Missing Authorization vulnerability in Contact List PRO Contact List – Easy Business Directory, Staff Directory and Address Book Plugin.This issue affects Contact List – Easy Business Directory, Staff Directory and Address Book Plugin: from n/a through...
5.3CVSS
7.2AI Score
0.0004EPSS
10 years of the GitHub Security Bug Bounty Program
Each year, we celebrate the GitHub Security Bug Bounty program, highlighting impressive bugs and researchers, rewards, live hacking events, and more. This year, we celebrate a new milestone: 10 years of the GitHub Security Bug Bounty program! While we've had some exciting growth over the last 10...
7AI Score
Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale
Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023. The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the....
9.8CVSS
6.7AI Score
0.957EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: AVEVA Equipment: PI Web API Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code...
7.7AI Score
0.0004EPSS
AVEVA PI Asset Framework Client
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: AVEVA Equipment: PI Asset Framework Client Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow malicious code execution. 3. TECHNICAL...
7.3AI Score
0.0004EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: MicroDicom Equipment: DICOM Viewer Vulnerabilities: Improper Authorization in Handler for Custom URL Scheme, Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these...
8.8CVSS
7.9AI Score
0.0004EPSS
Schneider Electric APC Easy UPS Online Monitoring Software (Update A)
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity/Public exploits available Vendor: Schneider Electric Equipment: APC Easy UPS Online Monitoring Software Vulnerability: OS Command Injection, Missing Authentication for Critical Function 2. RISK...
9.8CVSS
10AI Score
0.003EPSS
Rockwell Automation ControlLogix, GuardLogix, and CompactLogix
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: ControlLogix, GuardLogix, CompactLogix Vulnerability: Always-Incorrect Control Flow Implementation 2. RISK EVALUATION Successful exploitation of this vulnerability could compromise...
6.5AI Score
0.0004EPSS
23andMe data breach under joint investigation in two countries
The British and Canadian privacy authorities have announced they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was discovered in October 2023. On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that cybercriminals....
6.8AI Score
Top 10 Critical Pentest Findings 2024: What You Need to Know
One of the most effective ways for information technology (IT) professionals to uncover a company's weaknesses before the bad guys do is penetration testing. By simulating real-world cyberattacks, penetration testing, sometimes called pentests, provides invaluable insights into an organization's...
9.8CVSS
8.9AI Score
0.975EPSS
When things go wrong: A digital sharing warning for couples
“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice. In new research that Malwarebytes will release this month,...
6.9AI Score
Google’s Chrome changes make life harder for ad blockers
Despite protests, Google is rolling out changes in the Chrome browser that make it harder for ad blockers to do their job. Starting last Monday, June 3, 2024, Chrome Beta, Dev, and Canary channels will see the effects of the implementation of the new extension platform Manifest V3. The gradual...
7AI Score
Apple Launches Private Cloud Compute for Privacy-Centric AI Processing
Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud. The tech giant described PCC as the "most advanced security architecture.....
7.4AI Score
China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics
Cybersecurity researchers have uncovered an updated version of malware called ValleyRAT that's being distributed as part of a new campaign. "In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event...
7.8CVSS
7.6AI Score
0.974EPSS
QR code SQL injection and other vulnerabilities in a popular biometric terminal
Biometric scanners offer a unique way to resolve the conflict between security and usability. They help to identify a person by their unique biological characteristics – a fairly reliable process that does not require the user to exert any extra effort. Yet, biometric scanners, as any other tech,.....
10CVSS
9AI Score
0.0004EPSS
Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487) Overview This update replaces previously released updates. You should always install the latest update. This update also fixes vulnerabilities. For...
8.8CVSS
8.9AI Score
0.001EPSS
Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign
As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the.....
8AI Score
BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness
Description The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email...
6.5CVSS
6.9AI Score
0.0005EPSS
Description The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due....
6.4CVSS
5.8AI Score
0.001EPSS
A vulnerability in the MIME-tools component of the open-source content filter for Amavis email is related to an interpretation conflict when a MIME email message has multiple boundary parameters. Exploitation of the vulnerability could allow an attacker acting remotely to elevate the...
7.1AI Score
0.0004EPSS
Description The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and above, to.....
6.4CVSS
6.3AI Score
0.001EPSS
Amazon Linux 2 : firefox (ALASFIREFOX-2024-025)
The version of firefox installed on the remote host is prior to 115.11.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2024-025 advisory. A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in...
8.7AI Score
0.0004EPSS
Description The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create.....
6.5CVSS
6.9AI Score
0.0005EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric APC Easy UPS Online. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SchneiderUPS.exe desktop application. The issue results from...
7.7AI Score
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user...
5.5CVSS
5.7AI Score
0.001EPSS
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user...
5.5CVSS
0.001EPSS
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. A maliciously crafted email may be able to initiate FaceTime calls without user...
0.001EPSS
Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing
Impact In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type...
7AI Score
Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing
Impact In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type...
7AI Score
Docker CLI leaks private registry credentials to registry-1.docker.io
Impact A bug was found in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file (typically ~/.docker/config.json) listing a credsStore or credHelpers that could not be executed would result in any provided credentials being sent to...
7.5CVSS
6.4AI Score
0.001EPSS
Docker CLI leaks private registry credentials to registry-1.docker.io
Impact A bug was found in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file (typically ~/.docker/config.json) listing a credsStore or credHelpers that could not be executed would result in any provided credentials being sent to...
7.5CVSS
6.4AI Score
0.001EPSS
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
Impact A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read,...
6.3CVSS
6.5AI Score
0.0005EPSS
`docker cp` allows unexpected chmod of host files in Moby Docker Engine
Impact A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read,...
6.3CVSS
6.5AI Score
0.0005EPSS
go-grpc-compression has a zstd decompression bombing vulnerability
Impact A malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases. Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll...
8.2CVSS
6.8AI Score
0.001EPSS
go-grpc-compression has a zstd decompression bombing vulnerability
Impact A malicious user could cause a denial of service (DoS) when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases. Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll...
8.2CVSS
6.8AI Score
0.001EPSS
A European Summer of Sports is Upon Us – What Does it Mean for Security?
The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors.....
7AI Score
Bypassing 2FA with phishing and OTP bots
Introduction Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today's websites offer some form of it, and some of them won't even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain...
7.2AI Score
Missing Authorization vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...
7.3CVSS
5.5AI Score
0.0005EPSS