WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 Security Vulnerabilities
CVE-2022-3983 Checkout for PayPal < 1.0.14 - Contributor+ Stored XSS
The Checkout for PayPal WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting...
5.6AI Score
0.001EPSS
Six Charged in Mass Takedown of DDoS-for-Hire Sites
The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold "booter" or "stresser" services -- businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged....
0.4AI Score
A week in security (December 5 - 11)
Last week on Malwarebytes Labs: Security advisories are falling short. Here's why, with Dustin Childs: Lock and Code S03E25 Eufy "no cloud" security cameras streaming data to the cloud Snapchat gives Californians more power over their personal data Update now! Emergency fix for Google Chrome's V8.....
AI Score
Huatian Power Collaboration Office System has information leakage vulnerability
Dalian Huatian Software Co., Ltd. is a high-tech enterprise established according to the international advanced management model and system, and is a collaborative management software company known for its leading technology. There is an information leakage vulnerability in Huatian Power...
2.2AI Score
0.4AI Score
Main phishing and scamming trends and techniques
There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers deploy social engineering to persuade targets to transfer money on.....
-0.1AI Score
Watch out for this triple threat PayPal phish
ZDNet reports an interesting form of PayPal scam sent to one of their own writers. The scam is a so-called "triple threat" phish, in that it gives the scammer three different ways to potentially collect some ill gotten gains from potential victims. The idea is that if one of the three tactics...
0.7AI Score
This is an actual CAPTCHA I was shown when trying to log into PayPal. As an actual human and not a bot, I had no idea how to answer. Is this a joke? (Seems not.) Is it a Magritte-like existential question? (It's not a bicycle. It's a drawing of a bicycle. Actually, it's a photograph of a drawing...
0.7AI Score
Exploit for Authentication Bypass by Spoofing in Apache Apisix
POC 收集的POC CVE-2022-24112...
9.8CVSS
0.9AI Score
0.974EPSS
WordPress Donations via PayPal plugin cross-site scripting vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress Donations via PayPal plugin version 1.9.9 has a cross-site scripting vulnerability that...
4.8CVSS
1AI Score
0.001EPSS
The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
0.001EPSS
The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
4.7AI Score
0.001EPSS
The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
4.7AI Score
0.001EPSS
CVE-2022-3822 Donations via PayPal < 1.9.9 - Admin+ Stored XSS
The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5AI Score
0.001EPSS
Black Friday shoppers beware: online threats so far in 2022
The shopping event of the year, Black Friday, is almost here, and while the big day does not officially arrive until Friday, November 25th, deals are already starting. The day kickstarts the frenzied holiday shopping season with eye-catching promotional deals that lure shoppers into spending more.....
-0.4AI Score
Auth. Stored Cross-Site Scripting (XSS) vulnerability discovered by Lana Codes in WordPress Checkout for PayPal plugin (versions <= 1.0.13). Solution Update the WordPress Checkout for PayPal plugin to the latest available version (at least...
2.2AI Score
0.001EPSS
Checkout for PayPal < 1.0.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post...
5.4CVSS
2.3AI Score
0.001EPSS
Checkout for PayPal < 1.0.14 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting...
5.4CVSS
1AI Score
0.001EPSS
First Review of A Hacker’s Mind
Kirkus reviews A Hacker's Mind: A cybersecurity expert examines how the powerful game whatever system is put before them, leaving it to others to cover the cost. Schneier, a professor at Harvard Kennedy School and author of such books as Data and Goliath and Click Here To Kill Everybody,...
AI Score
Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server
VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972 **zoomeye...
9.8CVSS
3.4AI Score
0.973EPSS
WordPress Metform <=2.1.3 - Information Disclosure
WordPress Metform plugin through 2.1.3 is susceptible to information disclosure due to improper access control in the ~/core/forms/action.php file. An attacker can view all API keys and secrets of integrated third-party APIs such as that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA.....
7.5CVSS
7.2AI Score
0.033EPSS
Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data
Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive...
0.3AI Score
Description - There is an RCE vulnerability in qmpaas/leadshop (https://github.com/qmpaas/leadshop) (v1.4.15). An attacker can access the file leadshop.php and call any existing function through GET to control the target host. The vulnerability is in the leadshop/web/leadshop.php[27-61] file...
9.8CVSS
0.3AI Score
0.002EPSS
Donations via PayPal < 1.9.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). PoC 1. Click the 'Settings' button of this...
4.8CVSS
0.9AI Score
0.001EPSS
Donations via PayPal < 1.9.9 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
0.3AI Score
0.001EPSS
Exploit for Off-by-one Error in Sudo Project Sudo
CVE-2021-3156-centos7 利用sudo提权,只针对cnetos7 受影响版本: sudo: 1.8.2...
7.8CVSS
8.2AI Score
0.97EPSS
Exploit for Path Traversal in Apache Http Server
CVE-2021-41773 go语言poc&exp项目。 声明:该项目来自作者日常学习笔记。...
7.5CVSS
8AI Score
0.975EPSS
Tianqing Application Delivery Control System is equipped with a virtualized cloud computing center traffic management solution. Ltd. Tianqing Application Delivery Control System has a weak password vulnerability, which attackers use to log into the system backend and obtain sensitive...
2.5AI Score
OpenSSL 3.0.0 to 3.0.6 decodes some punycode email addresses in X.509 certificates improperly
Overview Two buffer overflow vulnerabilities were discovered in OpenSSL versions 3.0.0 through 3.0.6. These vulnerabilities were introduced in version 3.0.0 with the inclusion of support for punycode email address parsing for X.509 certificates. OpenSSL's assessment of the severity of the...
7.5CVSS
7.9AI Score
EPSS
APT10: Tracking down LODEINFO 2022, part I
Kaspersky has been tracking activities involving the LODEINFO malware family since 2019, looking for new modifications and thoroughly investigating any attacks utilizing those new variants. LODEINFO is sophisticated fileless malware first named in a blogpost from JPCERT/CC in February 2020. The...
-0.4AI Score
Exploit for Expression Language Injection in Vmware Spring Cloud Gateway
Spring_All_Reachable...
10CVSS
9.9AI Score
0.975EPSS
13 Cybersecurity Horror Stories to Give you Sleepless Nights
Are we sitting comfortably? Twas a dark and stormy night, and the cybersecurity team stood patiently in their Scrum meeting. “Tell us a tale,” the CISO said, and one of their number raised their hand. They caught the eye of their colleagues, and began… 1. An artists tale Curious reader, gird thy...
-0.2AI Score
Exploit for Improper Authentication in Fortinet Fortiproxy
CVE-2022-40684 CVE-2022-40684单独或者批量exp 食用方法 生成公钥...
9.8CVSS
9.8AI Score
0.972EPSS
Gin-vue-admin subject to Remote Code Execution via file upload vulnerability
Impact Gin-vue-admin < 2.5.4 has File upload vulnerabilities。 File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could....
9.8CVSS
7.9AI Score
0.001EPSS
Gin-vue-admin subject to Remote Code Execution via file upload vulnerability
Impact Gin-vue-admin < 2.5.4 has File upload vulnerabilities。 File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could....
9.8CVSS
0.6AI Score
0.001EPSS
kkFileView 4.1.0 - Cross-Site Scripting
kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the errorMsg parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and...
6.1CVSS
6.4AI Score
0.016EPSS
Exploit for Path Traversal in Zimbra Collaboration
CVE-2022-37042 Usage 查看漏洞信息。 ```bash go run main.go -s...
9.8CVSS
8.5AI Score
0.975EPSS
9.8CVSS
9.8AI Score
0.972EPSS
New PHP-based Ducktail infostealer is now after crypto wallets
A phishing campaign known to specifically target employees with access to their company's Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets. The Ducktail (Woo-ooh!) campaign was first...
-0.3AI Score
Microsoft Storage Location における構成の誤りに関する調査
本ブログは、Investigation Regarding Misconfigured Microsoft Storage...
1.2AI Score
ForceControl has a denial-of-service vulnerability (CNVD-2022-77992)
Forcecontrol is a monitoring and control configuration software, mainly used for data acquisition and monitoring control. A denial of service vulnerability exists in ForceControl, which can be exploited by attackers to cause a denial of...
4.7AI Score
DiceyF deploys GamePlayerFramework in online casino development studio
The Hacktivity 2022 security festival was held at the MOM Cultural Center in Budapest, Hungary, over two days, October 6-7th 2022. One of several presentations by our GReAT researchers included an interesting set of APT activity targeting online casino development and operations environments in...
0.8AI Score
Exploit for OS Command Injection in Telesquare Sdt-Cs3B1 Firmware
CVE-2022-26134_RCE 安装 ``` git clone...
9.8CVSS
9.7AI Score
0.958EPSS
セキュリティ更新プログラムの通知・配信の改善 – 新しい配信方法について
本ブログは、Improvements in Security Update Notifications Delivery – And a New Delivery Method...
1.9AI Score
Exploit for Expression Language Injection in Atlassian Confluence Data Center
CVE-2021-46422 RCE 安装 ``` git clone...
9.8CVSS
10AI Score
0.975EPSS
Exploit for OS Command Injection in Telesquare Sdt-Cs3B1 Firmware
CVE-2021-46422 RCE 安装 ``` git clone...
9.8CVSS
9.7AI Score
0.958EPSS
Exploit for OS Command Injection in Telesquare Sdt-Cs3B1 Firmware
CVE-2022-26134_RCE 安装 ``` git clone...
9.8CVSS
9.7AI Score
0.958EPSS
Exploit for Expression Language Injection in Atlassian Confluence Data Center
CVE-2022-26134_RCE 安装 ``` git clone...
9.8CVSS
9.3AI Score
0.975EPSS
In August, the US Treasury's Office of Foreign Assets Control (OFAC) sanctioned the cryptocurrency platform Tornado Cash, a virtual currency "mixer" designed to make it harder to trace cryptocurrency transactions--and a worldwide favorite money-laundering platform. Americans are now forbidden from....
-0.2AI Score
8.8CVSS
8.8AI Score
0.014EPSS