WordLift – AI Powered SEO – Schema Security Vulnerabilities

RHEL 7 : grub2 (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling (CVE-2021-3696) ...

RHEL 6 : bluez (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. bluez: double free in gatttool client disconnect callback handler in src/shared/att.c could lead to DoS...

RHEL 5 : postgresql (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. postgresql: Improper randomization of pgcrypto functions (requiring random seed) (CVE-2013-1900) ...

RHEL 6 : python-ldap (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. python-ldap: Regular expression denial of service in LDAP schema parser (CVE-2021-46823) Note that Nessus has not...

RHEL 6 : postgresql (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. postgresql: psql's \gset allows overwriting specially treated variables (CVE-2020-25696) postgresql:...

RHEL 7 : postgresql (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. postgresql: psql's \gset allows overwriting specially treated variables (CVE-2020-25696) postgresql:...

RHEL 7 : sqlite (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. sqlite: Heap-buffer overflow in the getNodeSize function (CVE-2017-10989) sqlite: Out of bounds access...

RHEL 6 : kernel (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. kernel: Buffer overflow due to unbounded strcpy in ISDN I4L driver (CVE-2017-12762) kernel: lack of port...

RHEL 6 : mysql (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. mysql: unspecified vulnerability in subcomponent: Server: Parser (CPU July 2016) (CVE-2016-3477) mysql:...

New LLMjacking Attack Lets Hackers Hijack AI Models for Profit

By Deeba Ahmed Researchers uncover a novel cyberattack scheme called "LLMjacking" exploiting stolen cloud credentials to hijack powerful AI models. This article explores the implications of attackers leveraging large language models (LLMs) for malicious purposes and offers security recommendations....

New Attack Against Self-Driving Car AI

This is another attack that convinces the AI to ignore road signs: Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the...

CensysGPT: AI-Powered Threat Hunting for Cybersecurity Pros (Webinar)

Artificial intelligence (AI) is transforming cybersecurity, and those leading the charge are using it to outsmart increasingly advanced cyber threats. Join us for an exciting webinar, "The Future of Threat Hunting is Powered by Generative AI," where you'll explore how AI tools are shaping the...

Researchers Uncover 'LLMjacking' Scheme Targeting Cloud-Hosted AI Models

Cybersecurity researchers have discovered a novel attack that employs stolen cloud credentials to target cloud-hosted large language model (LLM) services with the goal of selling access to other threat actors. The attack technique has been codenamed LLMjacking by the Sysdig Threat Research Team....

CVE-2024-4481 Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2024-4481 Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This...

Gutenberg Blocks by Kadence Blocks – Page Builder Features < 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer

Description The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown timer in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-4082 Joli FAQ SEO – WordPress FAQ Plugin <= 1.3.2 - Cross-Site Request Forgery

The Joli FAQ SEO – WordPress FAQ Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the...

CVE-2024-4335 Rank Math SEO with AI Best SEO Tools <= 1.0.217 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textAlign’ parameter in versions up to, and including, 1.0.217 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-4041 Yoast SEO <= 22.5 - Reflected Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

CVE-2024-4041 Yoast SEO <= 22.5 - Reflected Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

Elevating Security: Qualys Unveils First Solution for Scanning AWS Bottlerocket in Amazon EKS and Amazon ECS

With this new offering, Qualys establishes itself as the first and only vendor solution with the unique ability to scan AWS Bottlerocket instances directly using the Qualys Cloud Agent and TotalCloud Agent-less Snapshot-Based Scan. This innovative capability empowers organizations to...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 29, 2024 to May 5, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 164 vulnerabilities disclosed in 145...

How Criminals Are Using Generative AI

There's a new report on how criminals are using generative AI tools: Key Takeaways: Adoption rates of AI technologies among criminals lag behind the rates of their industry counterparts because of the evolving nature of cybercrime. Compared to last year, criminals seem to have abandoned any...

How AI enhances static application security testing (SAST)

In a 2023 GitHub survey, developers reported that their top task, second only to writing code (32%), was finding and fixing security vulnerabilities (31%). As their teams "shift left" and integrate security checks earlier into the software development lifecycle (SDLC), developers have become the...

The Future of Phishing Email Training for Employees in Cybersecurity

By Waqas Discover the future of phishing email training, including personalized simulations, gamification, AI, and realistic scenarios. Empower your employees to combat evolving cyber threats and protect your organization. This is a post from HackRead.com Read the original post: The Future of...

Spring AI - Structured Output

UPDATE: (04.06.2024) Adde snippets for using structured output with the new, fluent ChatClient API . UPDATE: (17.05.2024) Generic Types support for BeanOutputConverter added. Science works with chunks and bits and pieces of things with the continuity presumed, and Art works only with the...

Gutenberg Blocks with AI by Kadence WP – Page Builder Features < 3.2.20 - Contributor+ Server-Side Request Forgery

Description The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.19. This makes it possible for authenticated attackers, with contributor-level access and above, to make web...

Gutenberg Blocks with AI by Kadence WP < 3.2.37 - Contributor+ Stored Cross-Site Scripting via Block Link

Description The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied...

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. POC ```js const { Spec: { Version }, Validation: { XmlValidator } } = require('@cyclonedx/cyclonedx-library'); const version = Version.v1dot5; const validator = new...

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. POC ```js const { Spec: { Version }, Validation: { XmlValidator } } = require('@cyclonedx/cyclonedx-library'); const version = Version.v1dot5; const validator = new...

How implementing a trust fabric strengthens identity and network

The identity security landscape is transforming rapidly. Every digital experience and interaction is an opportunity for people to connect, share, and collaborate. But first, we need to know we can trust those digital experiences and interactions. Customers note a massive rise in the sheer number...

CVE-2024-32980

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use self requests without a specified URL authority can be induced to make requests to arbitrary hosts via the Host HTTP header....

CVE-2024-32980

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use self requests without a specified URL authority can be induced to make requests to arbitrary hosts via the Host HTTP header....

CVE-2024-32980

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use self requests without a specified URL authority can be induced to make requests to arbitrary hosts via the Host HTTP header....

CVE-2024-32980 Spin contains a potential network sandbox escape for specifically configured Spin applications

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use self requests without a specified URL authority can be induced to make requests to arbitrary hosts via the Host HTTP header....

CVE-2024-32980 Spin contains a potential network sandbox escape for specifically configured Spin applications

Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use self requests without a specified URL authority can be induced to make requests to arbitrary hosts via the Host HTTP header....

CVE-2024-30459

Missing Authorization vulnerability in AIpost AI WP Writer.This issue affects AI WP Writer: from n/a through...

CVE-2024-30459

Missing Authorization vulnerability in AIpost AI WP Writer.This issue affects AI WP Writer: from n/a through...

Desperate Taylor Swift fans defrauded by ticket scams

Ticket scams are very common and apparently hard to stop. When there are not nearly enough tickets for some concerts to accommodate all the fans that desperately want to be there, it makes for ideal hunting grounds for scammers. With a ticket scam, you pay for a ticket and you either don’t receive....

CVE-2024-30459 WordPress AI WP Writer plugin <= 3.6.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in AIpost AI WP Writer.This issue affects AI WP Writer: from n/a through...

Best API Security Product: Wallarm wins 2024 Cybersecurity Excellence Award

We are thrilled to announce that Wallarm has clinched the sought-after 2024 Cybersecurity Excellence Award, under the category Best API Security Product. Our unwavering commitment to pioneering solutions that safeguard digital ecosystems, and fortify API security amidst the evolving cyber threat...

Site Reviews < 7.0.0 - IP Spoofing

Description The plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based...

Site Reviews < 7.0.0 - IP Spoofing

Description The plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based blocking PoC Request sent to the server to add review: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:8888...

Microsoft announces the 2024 Microsoft Security Excellence Awards winners

At this year's Microsoft Security Excellence Awards, we took a journey through the evolution of cybersecurity from the 1950s to today. While this event theme celebrated the significant technological advancements that have shaped each decade, the main focus was on the Microsoft Intelligent Security....

Hunters Announces Full Adoption of OCSF and Introduces OCSF-Native Search

By Cyber Newswire Hunters, the pioneer in modern SOC platforms, today announced its full adoption of the Open Cybersecurity Schema Framework… This is a post from HackRead.com Read the original post: Hunters Announces Full Adoption of OCSF and Introduces OCSF-Native...

Accelerating Zero Trust Outcomes with Generative AI, Part 2: Guardicore AI

...

Spring Tips: Vector Databases with Spring AI

Hi, Spring fans! In this installment, we look at the amazing support for vector databases in Spring...

AI Engine < 2.1.5 - Authenticated (Editor+) Server-Side Request Forgery

Description The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4 via the download_image function. This makes it possible for authenticated attackers, with editor-level access and above, to make web requests to arbitrary...

Joli FAQ SEO – WordPress FAQ Plugin < 1.3.3 - Cross-Site Request Forgery

Description The Joli FAQ SEO – WordPress FAQ Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to...

Rank Math SEO with AI Best SEO Tools < 1.0.218 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textAlign’ parameter in versions up to, and including, 1.0.217 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...