Google Prevented 2.28 Million Malicious Apps from Reaching Play Store in 2023
Google on Monday revealed that almost 200,000 app submissions to its Play Store for Android were either rejected or remediated to address issues with access to sensitive data such as location or SMS messages over the past year. The tech giant also said it blocked 333,000 bad accounts from the app.....
7.3AI Score
Kaiser health insurance leaked patient data to advertisers
Health insurance giant Kaiser has announced it will notify millions of patients about a data breach after sharing patients’ data with advertisers. Kaiser said that an investigation led to the discovery that “certain online technologies, previously installed on its websites and mobile applications,....
7AI Score
Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover
Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and...
10CVSS
8.7AI Score
0.0004EPSS
Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS)...
6.1CVSS
6.4AI Score
0.0005EPSS
Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS)...
6.1CVSS
6.1AI Score
0.0005EPSS
CVE-2024-4302 Super 8 livechat SDK - Cross-site Scripting
Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS)...
6.1CVSS
6.3AI Score
0.0005EPSS
MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.3.9 - Missing Authorization
Description The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for...
6.3CVSS
6.3AI Score
0.0004EPSS
FreeBSD : GLPI -- multiple vulnerabilities (5da8b1e6-0591-11ef-9e00-080027957747)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5da8b1e6-0591-11ef-9e00-080027957747 advisory. GLPI team reports: GLPI 10.0.15 Changelog (CVE-2024-29889, CVE-2024-31456) Note that Nessus...
7.7CVSS
7.6AI Score
0.0004EPSS
The Bug Report - April 2024 Edition
The Bug Report - April 2024 Edition By Jonathan Omakun and Tobi Olawale· April 29, 2024 Why am I here? Just when you thought it was safe to go back into the digital waters, out pops another series of rogue waves in the form of CVEs! It's like that beach vacation you planned to get away from it...
8.9AI Score
0.971EPSS
The Anatomy of HTML Attachment Phishing
The Anatomy of HTML Attachment Phishing: One Code, Many Variants By Mathanraj Thangaraju, Niranjan Hegde, and Sijo Jacob · June 14, 2023 Introduction Phishing is the malevolent practise of pretending to be a reliable entity in electronic communication to steal sensitive data, such as login...
7.4AI Score
FreeBSD : powerdns-recursor -- denial of service (1af16f2b-023c-11ef-8791-6805ca2fa271)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1af16f2b-023c-11ef-8791-6805ca2fa271 advisory. A crafted response from an upstream server the recursor has been configured to forward-recurse to...
7.5CVSS
6.8AI Score
0.0004EPSS
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId...
8.8CVSS
8.9AI Score
0.0004EPSS
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId...
8.8CVSS
7.1AI Score
0.0004EPSS
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential...
6.8AI Score
Delinea Secret Server before 11.7.000001 allows attackers to bypass authentication via the SOAP API in SecretServer/webservices/SSWebService.asmx. This is related to a hardcoded key, the use of the integer 2 for the Admin user, and removal of the oauthExpirationId...
8.8CVSS
9AI Score
0.0004EPSS
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the b3affee8-04d1-11ef-8928-901b0ef714d4 advisory. Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due...
4.9CVSS
7.1AI Score
0.0004EPSS
RHEL 7 : openstack-nova and python-novaclient (RHSA-2018:0369)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:0369 advisory. OpenStack Compute (nova) launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform....
6.5CVSS
6.7AI Score
0.001EPSS
Metasploit Weekly Wrap-Up 04/26/24
Rancher Modules This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to...
10AI Score
0.957EPSS
FreeBSD : chromium -- multiple security fixes (7a42852d-0347-11ef-9f97-a8a1599412c6)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7a42852d-0347-11ef-9f97-a8a1599412c6 advisory. Type Confusion in ANGLE. (CVE-2024-4058) Out of bounds read in V8 API. (CVE-2024-4059) ...
8.8CVSS
9.5AI Score
0.001EPSS
Tutor LMS < 2.7.0 - Missing Authorization to Unauthenticated Limited Options Update
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers.....
6.5CVSS
6.7AI Score
0.0005EPSS
The private sector probably isn’t coming to save the NVD
I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database. Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that's disclosed and/or patched is now so far...
7.3AI Score
0.001EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 15, 2024 to April 21, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 209 vulnerabilities disclosed in 169...
9.9AI Score
EPSS
Talos IR trends: BEC attacks surge, while weaknesses in MFA persist
Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter. The most observed means of gaining initial access...
8.3AI Score
0.733EPSS
The Rise of Large-Language-Model Optimization
The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming....
6.7AI Score
DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal Transactions
The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end,....
7.4AI Score
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied...
5.4CVSS
5.1AI Score
0.0004EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied...
5.4CVSS
5.7AI Score
0.0004EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied...
5.4CVSS
5.2AI Score
0.0004EPSS
Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through...
9.8CVSS
9.6AI Score
0.0004EPSS
Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through...
9.8CVSS
6.9AI Score
0.0004EPSS
Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through...
9.8CVSS
9.7AI Score
0.0004EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft uAMQP for Python. Authentication is not required to exploit this vulnerability. The specific flaw exists within the installation of uAMQP for Python. When installed from the official...
7.7AI Score
FreeBSD : Gitlab -- vulnerabilities (b857606c-0266-11ef-8681-001b217b3468)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b857606c-0266-11ef-8681-001b217b3468 advisory. An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all...
8.5CVSS
6.2AI Score
0.0004EPSS
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the bdfa6c04-027a-11ef-9c21-901b0e9408dc advisory. Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a...
6.5CVSS
6.9AI Score
0.0004EPSS
NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is vulnerable to a stored xss. An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session. With this access, it is then possible to run a new payload.....
6.2AI Score
0.002EPSS
U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April.....
7.1AI Score
TikTok comes one step closer to a US ban
The US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the immensely popular app. Social video platform TikTok has experienced explosive growth since it first appeared in 2017, and is now said to have well over 1.5...
7.2AI Score
FreeBSD : GLPI -- multiple vulnerabilities (faccf131-00d9-11ef-92b7-589cfc023192)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the faccf131-00d9-11ef-92b7-589cfc023192 advisory. GLPI is a Free Asset and IT Management Software package. When authentication is made against...
8.1CVSS
7.3AI Score
0.001EPSS
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2ce1a2f1-0177-11ef-a45e-08002784c58d advisory. sp2ip reports: If attacker-supplied data is provided to the Ruby regex ...
7AI Score
EPSS
FreeBSD : GLPI -- multiple vulnerabilities (ed688880-00c4-11ef-92b7-589cfc023192)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ed688880-00c4-11ef-92b7-589cfc023192 advisory. GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior...
9.8CVSS
9.4AI Score
0.001EPSS
FreeBSD : sdl2_sound -- multiple vulnerabilities (304d92c3-00c5-11ef-bd52-080027bff743)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 304d92c3-00c5-11ef-bd52-080027bff743 advisory. stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted...
7.8CVSS
7.9AI Score
0.001EPSS
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user...
5.4CVSS
5.9AI Score
0.0004EPSS
FreeBSD : GLPI -- multiple vulnerabilities (bb49f1fa-00da-11ef-92b7-589cfc023192)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the bb49f1fa-00da-11ef-92b7-589cfc023192 advisory. GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service...
7.7CVSS
7.3AI Score
0.001EPSS
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file prodList.php. The manipulation of the argument prodType leads to cross site scripting. The attack can.....
5.4CVSS
4.2AI Score
0.001EPSS
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file prodInfo.php. The manipulation of the argument prodId leads to cross site scripting. The attack may be launched....
3.5CVSS
3.7AI Score
0.0004EPSS
A vulnerability classified as problematic has been found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. This affects an unknown part of the file login.php. The manipulation of the argument txtAddress leads to cross site scripting. It is possible to initiate the attack remotely. The.....
3.5CVSS
3.7AI Score
0.0004EPSS
A vulnerability classified as problematic has been found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. This affects an unknown part of the file login.php. The manipulation of the argument txtAddress leads to cross site scripting. It is possible to initiate the attack remotely. The.....
3.5CVSS
6.2AI Score
0.0004EPSS
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file prodList.php. The manipulation of the argument prodType leads to cross site scripting. The attack can.....
5.4CVSS
6.2AI Score
0.001EPSS
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been classified as problematic. Affected is an unknown function of the file search.php. The manipulation of the argument txtSearch leads to cross site scripting. It is possible to launch the attack...
5.4CVSS
4.2AI Score
0.001EPSS
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been classified as problematic. Affected is an unknown function of the file search.php. The manipulation of the argument txtSearch leads to cross site scripting. It is possible to launch the attack...
5.4CVSS
6.2AI Score
0.001EPSS