WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 Security Vulnerabilities

CVE-2012-5798

The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid...

CVE-2012-5798

The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid...

CVE-2012-5801

The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the....

CVE-2012-5806

The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to....

CVE-2012-5801

The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the....

CVE-2012-5806

The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to....

CVE-2012-5805

The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different.....

CVE-2012-5805

The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different.....

CVE-2011-5237

PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid...

CVE-2011-5237

PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid...

CVE-2013-0118

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's...

CVE-2013-0118

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's...

CVE-2004-2247

Unknown vulnerability in the "admin of paypal email addresses" in AudienceConnect before 1.0.beta.21 has unknown impact and attack...

CVE-2004-2247

Unknown vulnerability in the "admin of paypal email addresses" in AudienceConnect before 1.0.beta.21 has unknown impact and attack...

Sichuan Tianyi Kanghe Communication Co., Ltd. TY-6201A has a logic flaw vulnerability

TY-6201A is a cost-effective full-band Wi-Fi6-enabled wireless router. Ltd. TY-6201A has a logic flaw vulnerability, which can be exploited by attackers to request specific paths via POST to achieve permissionless password...

Sichuan Tianyi Kanghe Communication Co., Ltd. TY-6201A has information leakage vulnerability

TY-6201A is a cost-effective full-band Wi-Fi6-enabled wireless router. Ltd. TY-6201A has an information disclosure vulnerability, which can be exploited by attackers to obtain sensitive...

Exploit for CVE-2022-21350

为什么两个poc 一个带 com._51pwn.hktalent.CreatJar.main(args);...

Exploit for Cross-site Scripting in Helpsystems Cobalt Strike

CVE-2022-39197 patch CVE-2022-39197 Cobalt Strike XSS...

Authorities Shut Down WT1SHOP Site for Selling Stolen Credentials and Credit Cards

An international law enforcement operation has resulted in the dismantling of WT1SHOP, an online criminal marketplace that specialized in the sales of stolen login credentials and other personal information. The seizure was orchestrated by Portuguese authorities, with the U.S. officials taking...

Clever Phishing Scam Uses Legitimate PayPal Messages

Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging. Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request to download and...

Command Execution Vulnerability in SmoothT Proprietary Cloud

SmoothT Proprietary Cloud is a cloud ERP system that integrates the whole scenario of doing business, managing business, and watching business. A command execution vulnerability exists in SmoothT Proprietary Cloud, which can be exploited by attackers to execute arbitrary...

Exploit for Improper Authentication in Linux Linux Kernel

CVE-2022-0492-Container-Escape...

Beijing Century Super Star Information Technology Development Co., Ltd. has a stored XSS vulnerability in Learning Pass

Learning Pass is a course learning, knowledge dissemination and management sharing platform built on a microservice architecture. Beijing Century Super Star Information Technology Development Co., Ltd. has a stored XSS vulnerability, which can be used by attackers to obtain sensitive information...

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

CVE-2022-22947 内存马注入 支持注入三类内存马 ``` Usage: usage -t ...

Exploit for Path Traversal in Inglorion Muhttpd

CVE-2022-31793 -u 指定IP -l...

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to.....

Zimbra Collaboration Suite 8.8.15/9.0 - Remote Code Execution

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code...

Two more malicious Python packages in the PyPI

On August 8, CheckPoint published a report on ten malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers' personal data and credentials. Following this research, we used...

RedGuard - C2 Front Flow Control Tool, Can Avoid Blue Teams, AVs, EDRs Check

0x00 Introduction Tool introduction RedGuard is a derivative work of the C2 facility pre-flow control technology. It has a lighter design, efficient flow interaction, and reliable compatibility with go language development. The core problem it solves is also in the face of increasingly complex red....

Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments

Security flaws have been identified in Xiaomi Redmi Note 9T and Redmi Note 11 models, which could be exploited to disable the mobile payment mechanism and even forge transactions via a rogue Android app installed on the devices. Check Point said it found the flaws in devices powered by MediaTek...

Cybersecurity and PR: Making Data Protection Public

The customer cares Customers regularly see news about privacy and hacking, and they want to know that it’s safe for them to give over their personal data. A lack of trust in an eCommerce site is a leading reason why potential customers abandon their shopping carts. Consumers have no shortage of...

セキュリティ更新プログラム ガイドの通知システム : 今すぐプロファイルを作成しましょう

本ブログは、Security Update Guide Notification System News: Create your profile now の抄訳版です。最新の情報は原文を参照してください。...

Exploit for Stack-based Buffer Overflow in Sonicwall Sma 200 Firmware

SonicWallSSL-VPN_......

Exploit for Stack-based Buffer Overflow in Sonicwall Sma 200 Firmware

SonicWallSSL-VPN_......

CVE-2022-36284

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile...

CVE-2022-36284

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile...

Design/Logic Flaw

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile...

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

CVE-2022-22947 CVE-2022-22947简介 Spring Cloud Gateway...

Exploit for Type Confusion in Linux Linux Kernel

CVE-2022-34918 LPE POC...

Malicious code in pplogger-paypal (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (2f79d96a39bd0701b0be053e0cad25703bda81b63b17638a10a26a1e023a91d1) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Affiliate For WooCommerce < 4.8.0 - Subscriber+ Paypal Email Update via IDOR

The plugin allows users with a role as low as subscriber to change the PayPal Email via an IDOR attack when the WooCommerce PayPal Payments plugin is also...

Huatian Power OA system arbitrary file upload vulnerability

Huatian Dynamics OA System is a collaborative office software developed by Dalian Huatian Software Co. There is an arbitrary file upload vulnerability in Huatian Power OA system, which can be exploited by attackers to upload arbitrary files to the...

CVE-2022-36284 WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin &lt;= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile...

WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change

Authenticated IDOR vulnerability leading to PayPal email change discovered by Vlad Vector (Patchstack) in WordPress Affiliate For WooCommerce premium plugin (versions &lt;= 4.7.0). Solution Update the WordPress Affiliate For WooCommerce plugin to the latest available version (at least...

CSRF vulnerability exists in modifying user information (including password)

Description Csrf vulnerability in user information modification page # Proof of Concept In \app\home\c\UserController $re = M('member')-&gt;update(['id'=&gt;$this-&gt;member['id']],$w); $member = M('member')-&gt;find(['id'=&gt;$this-&gt;member['id']]); unset($member['pass']); ...

Breach Exposes Users of Microleaves Proxy Service

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but.....

Messaging Apps Tapped as Platform for Cybercriminal Activity

Cybercriminals are tapping the built-in services of popular messaging apps like Telegram and Discord as ready-made platforms to help them perform their nefarious activity in persistent campaigns that threaten users, researchers have found. Threat actors are tapping the multi-feature nature of...

Malicious code in hyperwallet-sdk-paypal (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (8c07de9253a4872758b8cb7ec4ec1694ce3105498eef8312573d0eb7ff5daeb1) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Phishing Attacks Skyrocket with Microsoft and Facebook as Most Abused Brands

The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday. The study by Vade...

Four Main Reasons Shoppers Abandon eCommerce Carts

More than just window shopping eCommerce shopping cart abandonment causes brands a sobering USD 18 Billion in annual revenue [Forrester Research]. While rates differ by device, with mobile and tablet device users most likely to leave before completing their order, nearly 70 percent of shoppers...