7.1AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 94 vulnerabilities disclosed in 81 WordPress.....
9.9CVSS
9.4AI Score
0.001EPSS
Facebook spied on Snapchat users to get analytics about the competition
Social media giant Facebook snooped on Snapchat users' network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That's according to a court document filed March 23, 2024. The document mentions Facebook’s so-called In-App Action Panel (IAAP) program,....
6.9AI Score
Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection
A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale. "Using iMessage and RCS rather than SMS to send...
7.2AI Score
Rrgen - A Header Only C++ Library For Storing Safe, Randomly Generated Data Into Modern Containers
This library was developed to combat insecure methods of storing random data into modern C++ containers. For example, old and clunky PRNGs. Thus, rrgen uses STL's distribution engines in order to efficiently and safely store a random number distribution into a given C++ container. Installation 1).....
7.2AI Score
auto-osix.fi Cross Site Scripting vulnerability OBB-3890176
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
Telegram Offers Premium Subscription in Exchange for Using Your Number to Send OTPs
In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends' email addresses in exchange for free pizza. "Whereas people say they care...
7.2AI Score
[SECURITY] Fedora 40 Update: ofono-2.5-1.fc40
oFono.org is a place to bring developers together around designing an infrastructure for building mobile telephony (GSM/UMTS) applications. oFono includes a high-level D-Bus API for use by telephony applications. oFono also includes a low-level plug-in API for integrating with telephony stacks,...
8.1CVSS
6.6AI Score
0.001EPSS
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary...
7.6AI Score
0.0004EPSS
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary...
7.3AI Score
0.0004EPSS
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2024:1002-1)
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1002-1 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This...
7.5CVSS
8.6AI Score
0.001EPSS
7.2AI Score
0.0004EPSS
SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2024:1000-1)
The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1000-1 advisory. An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent...
5.9AI Score
0.0004EPSS
7.4AI Score
0.0004EPSS
7.4AI Score
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary...
7.5AI Score
0.0004EPSS
The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary...
7.6AI Score
0.0004EPSS
Noia - Simple Mobile Applications Sandbox File Browser Tool
Noia is a web-based tool whose main aim is to ease the process of browsing mobile applications sandbox and directly previewing SQLite databases, images, and more. Powered by frida.re. Please note that I'm not a programmer, but I'm probably above the median in code-savyness. Try it out, open an...
7.2AI Score
Disturbing robocaller fined $9.9 million
A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls. Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in...
6.9AI Score
Server Side Request Forgery (SSRF)
mobsfscan is vulnerable to Server Side Request Forgery. The vulnerability due to inadequate input validation when extracting the android:host hostname attribute within the AndroidManifest.xml file, allowing attackers to manipulate requests and potentially make connections to internal-only services....
7.5CVSS
7.1AI Score
0.001EPSS
Rocky Linux 8 : firefox (RLSA-2024:1484)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1484 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the...
7.5CVSS
9AI Score
0.001EPSS
Salon Booking System < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the...
6AI Score
0.0004EPSS
Salon booking system < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...
6AI Score
0.0004EPSS
Salon booking system < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...
5.6AI Score
0.0004EPSS
7.4AI Score
7.4AI Score
Salon Booking System < 9.6.3 - Unauthenticated Stored XSS
Description The plugin does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the...
5.9AI Score
0.0004EPSS
A vulnerability was found in code-projects Mobile Shop 1.0. It has been classified as critical. Affected is an unknown function of the file Details.php of the component Login Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit....
7.3CVSS
7.4AI Score
0.0004EPSS
A vulnerability was found in code-projects Mobile Shop 1.0. It has been classified as critical. Affected is an unknown function of the file Details.php of the component Login Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit....
7.3CVSS
7.5AI Score
0.0004EPSS
CVE-2024-2927 code-projects Mobile Shop Login Page Details.php sql injection
A vulnerability was found in code-projects Mobile Shop 1.0. It has been classified as critical. Affected is an unknown function of the file Details.php of the component Login Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit....
7.3CVSS
7.8AI Score
0.0004EPSS
Recent ‘MFA Bombing’ Attacks Targeting Apple Users
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used...
6.6AI Score
Patch now: Mozilla patches two critical vulnerabilities in Firefox
Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn't affect mobile.....
7.6AI Score
0.0005EPSS
YouTube ordered to reveal the identities of video viewers
Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen. Of those users that weren’t logged in when they watched those videos between January 1...
6.9AI Score
Oracle Linux 7 : firefox (ELSA-2024-1486)
The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-1486 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the...
7.5CVSS
9AI Score
0.001EPSS
7.4AI Score
Oracle Linux 8 : firefox (ELSA-2024-1484)
The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-1484 advisory. AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() and AppendEncodedCharacters() could have experienced integer overflows, causing...
7.5CVSS
9AI Score
0.001EPSS
7.4AI Score
Oracle Linux 9 : firefox (ELSA-2024-1485)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1485 advisory. To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This...
7.5CVSS
9AI Score
0.001EPSS
7.4AI Score
KaTeX's maxExpand bypassed by Unicode sub/superscripts
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX....
6.5CVSS
7.3AI Score
0.0004EPSS
KaTeX's maxExpand bypassed by Unicode sub/superscripts
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX....
6.5CVSS
6.9AI Score
0.0004EPSS
KaTeX's maxExpand bypassed by `\edef`
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be....
6.5CVSS
7AI Score
0.0004EPSS
KaTeX's maxExpand bypassed by `\edef`
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be....
6.5CVSS
7.4AI Score
0.0004EPSS
Top 4 Industries at Risk of Credential Stuffing and Account Takeover (ATO) attacks
All industries are at risk of credential stuffing and account takeover (ATO) attacks. However, some industries are at a greater risk because of the sensitive information or volume of customer data they possess. While cyber-attacks come in all forms and techniques, credential stuffing involves an...
6.9AI Score
Apple iOS < 17.4.1 Multiple Vulnerabilities (HT214097)
The version of Apple iOS running on the mobile device is prior to 17.4.1. It is, therefore, affected by multiple...
6.6AI Score
Debian dla-3775 : firefox-esr - security update
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3775 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private...
7.5CVSS
8.5AI Score
0.001EPSS
7.4AI Score
CentOS 7 : firefox (RHSA-2024:1486)
The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:1486 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the...
7.5CVSS
9.1AI Score
0.001EPSS
Ubuntu 20.04 LTS : Firefox vulnerabilities (USN-6710-1)
The remote Ubuntu 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6710-1 advisory. An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range- based bounds check elimination. This...
7.2AI Score
0.0005EPSS
7.4AI Score