The Introduction: Decrypting Protocol Buffers When navigating through the intricate world of data encoding and decoding mechanisms, Protocol Buffers, or widely known as Protobuf, have carved their position as a dynamic contender. The brainchild of Google, this binary blueprint aims for advanced...
7AI Score
Exploit for Cross-site Scripting in Phpgurukul Hospital Management System
CVE-2023-7173: Stored Cross-Site Scripting (XSS) in Hospital...
5.4CVSS
5.3AI Score
0.001EPSS
Mobile malware analysis for the BBC
This is a version of our report referenced in the Helping a mobile malware fraud victim blog post, with all sensitive information removed. Summary One malicious application was identified on the device, and evidence identified during the examination strong suggests (though this cannot be confirmed....
7.1AI Score
outdoorbits little-backup-box (aka Little Backup Box) before f39f91c allows remote attackers to execute arbitrary code because the PHP extract function is used for untrusted...
9.8CVSS
9.8AI Score
0.003EPSS
outdoorbits little-backup-box (aka Little Backup Box) before f39f91c allows remote attackers to execute arbitrary code because the PHP extract function is used for untrusted...
9.8CVSS
8.2AI Score
0.003EPSS
outdoorbits little-backup-box (aka Little Backup Box) before f39f91c allows remote attackers to execute arbitrary code because the PHP extract function is used for untrusted...
9.8CVSS
0.003EPSS
outdoorbits little-backup-box (aka Little Backup Box) before f39f91c allows remote attackers to execute arbitrary code because the PHP extract function is used for untrusted...
9.8CVSS
8.4AI Score
0.003EPSS
outdoorbits little-backup-box (aka Little Backup Box) before f39f91c allows remote attackers to execute arbitrary code because the PHP extract function is used for untrusted...
10AI Score
0.003EPSS
Imperva defends customers against recent vulnerabilities in Apache OFBiz
On December 26, researchers from SonicWall Capture Labs discovered an authentication bypass vulnerability in Apache OFBiz, tracked as CVE-2023-51467. This bug has a CVSS score of 9.8 and allows attackers to achieve server-side request forgery (SSRF) by bypassing the program’s authentication. This.....
9.8CVSS
8.6AI Score
0.798EPSS
Artificial intelligence is poised to upend much of society, removing human limitations inherent in many systems. One such limitation is information and logistical bottlenecks in decision-making. Traditionally, people have been forced to reduce complex choices to a small handful of options that...
7AI Score
How to Build a Cybersecurity Culture in Your Company
Decoding the Essential Components of Cyber Safeguard Culture In today's era, marked by copious dependencies on digital technologies, strengthening defenses against digital security vulnerabilities has become more than just a choice, it's a critical necessity. Establishing a culture of cyber...
7.5AI Score
A flaw was found in some SMTP server configurations in Postfix. This flaw allows a remote attacker to break out email message data to "smuggle" SMTP commands and send spoofed emails that pass SPF checks. Out of the box, Postfix targets to accommodate older clients with faulty SMTP implementations.....
5.3CVSS
5.2AI Score
0.003EPSS
9.8CVSS
7.2AI Score
0.002EPSS
Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio prior to 4.11.0 contained a vulnerability in the /file route which made them susceptible to file traversal...
7.5CVSS
6.8AI Score
0.031EPSS
Exploit for Incorrect Implementation of Authentication Algorithm in Microsoft
CVE 2023 29357 Informations Cible SharePoint...
9.8CVSS
9.8AI Score
0.89EPSS
GLSA-202312-06 : Exiv2: Multiple Vulnerabilities
The remote host is affected by the vulnerability described in GLSA-202312-06 (Exiv2: Multiple Vulnerabilities) Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak. (CVE-2020-18771) An...
8.8CVSS
8.3AI Score
0.01EPSS
What’s New in Rapid7 Products & Services: 2023 Year in Review
Throughout 2023 Rapid7 has made investments across the Insight Platform to further our mission of providing security teams with the tools to proactively anticipate imminent risk, prevent breaches earlier, and respond faster to threats. In this blog you'll find a review of our top releases from...
7.3AI Score
Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is...
4.8CVSS
4.8AI Score
0.0004EPSS
Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed PoC 1) Create a new opt-in form 2) Edit the form, and add a "First name" field. 3) Update...
4.8CVSS
4.8AI Score
0.0004EPSS
Security Bulletin: Netcool Operations Insights 1.6.11 addresses multiple security vulnerabilities.
Summary Netcool Operations Insight v1.6.11 addresses multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details ** CVEID: CVE-2023-34453 DESCRIPTION: **snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a...
9.8CVSS
9.6AI Score
0.024EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
7.2CVSS
7.4AI Score
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
7.2CVSS
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
7.2CVSS
8AI Score
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
5.5CVSS
7.6AI Score
0.001EPSS
JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the...
7.5CVSS
7.4AI Score
0.001EPSS
JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the...
7.5CVSS
0.001EPSS
JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the...
7.5CVSS
7.1AI Score
0.001EPSS
JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the...
7.5CVSS
7.7AI Score
0.001EPSS
Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps
Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.3.0 Vulnerability Details ** CVEID: CVE-2022-28948 DESCRIPTION: **Go-Yaml is vulnerable to a denial of service, caused by a flaw in the Unmarshal function. By sending a specially-crafted input, a remote attacker...
9.8CVSS
9.8AI Score
EPSS
Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS...
5.4CVSS
5.8AI Score
0.0004EPSS
Essential Real Estate < 4.4.0 - Subscriber+ Stored XSS
Description The plugin does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. PoC 1. Login with a subscriber account, and visit https://vulnerable-site.tld/wp-admin/profile.php?action=delete 2.....
5.4CVSS
5.4AI Score
0.0004EPSS
NIST SP 800-53 Rev. 5 Updates: What You Need to Know About The Most Recent Patch Release (5.1.1)
On November 7th, the National Institute of Standards and Technology (NIST) issued an update to SP 800-53, a NIST-curated catalog of controls that organizations can implement to effectively manage security and privacy risk. In this blog we’ll cover the new and updated controls within patch release.....
7.1AI Score
8.1CVSS
9.7AI Score
0.0005EPSS
Securing our home labs: Frigate code review
At GitHub Security Lab, we are continuously analyzing open source projects in line with our goal of keeping the software ecosystem safe. Whether by manual review, multi-repository variant analysis, or internal automation, we focus on high-profile projects we all depend on and rely on. Following on....
7.5CVSS
8AI Score
0.033EPSS
Are HTTP Content-Security-Policy (CSP) Headers Sufficient to Secure Your Client Side?
Modern web frameworks have shifted business logic from the server side to the client side (web browser), enhancing performance, flexibility, and user experience. However, this move introduces security and privacy concerns, as exposing sensitive logic and data can lead to vulnerabilities like code.....
7.1AI Score
7.4AI Score
Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting
On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject...
6.4CVSS
5.9AI Score
0.001EPSS
CVE-2022-21907 Vulnerability in HTTP Protocol Stack Enabling...
9.8CVSS
7.4AI Score
0.783EPSS
New Microsoft Purview features use AI to help secure and govern all your data
In the past few years, we have witnessed how digital and cloud transformation has accelerated the growth of data. With more and more customers moving to the cloud, and with the rise of hybrid work, data usage has moved beyond the traditional borders of business. Data is now stored in multiple...
6.6AI Score
New Microsoft Purview features use AI to help secure and govern all your data
In the past few years, we have witnessed how digital and cloud transformation has accelerated the growth of data. With more and more customers moving to the cloud, and with the rise of hybrid work, data usage has moved beyond the traditional borders of business. Data is now stored in multiple...
6.6AI Score
SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin...
7.2CVSS
0.001EPSS
SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin...
7.2CVSS
6.9AI Score
0.001EPSS
The affected devices use publicly available default credentials with administrative...
9.8CVSS
9.4AI Score
0.001EPSS
SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin...
7.2CVSS
7.2AI Score
0.001EPSS
CVE-2023-39171 SENEC Storage Box V1,V2 and V3 accidentially expose a management interface
SENEC Storage Box V1,V2 and V3 accidentially expose a management UI accessible with publicly known admin...
7.2CVSS
7.2AI Score
0.001EPSS
In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive...
7.5CVSS
0.002EPSS
In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive...
7.5CVSS
7.5AI Score
0.002EPSS
The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network...
9.1CVSS
8.9AI Score
0.001EPSS
In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive...
7.5CVSS
6.9AI Score
0.002EPSS
CVE-2023-39169 SENEC: Storage Box V1,V2 and V3 using default credentials
The affected devices use publicly available default credentials with administrative...
9.8CVSS
9.8AI Score
0.001EPSS