Summary There is a vulnerability in OpenTelemetry gRPC package which is shipped as part of IBM CICS TX Standard. An update to IBM CICS TX Standard has been released to address the vulnerability. Vulnerability Details ** CVEID: CVE-2023-47108 DESCRIPTION: **OpenTelemetry OpenTelemetry-Go Contrib...
7.5CVSS
6.6AI Score
0.001EPSS
Test and evaluate your WAF before hackers
Since 1991, Web Application Firewall, commonly referred to as WAF, has become one of the most common application security technologies available on the market. Since the last century, WAFs have evolved by incorporating the cloud and using Machine Learning instead of RegExp. Currently, few...
6.6AI Score
Bootiful Spring Boot in 2024 (part 1)
NB: the code is here on my Github account: github.com/joshlong/bootiful-spring-boot-2024-blog. Hi, Spring fans! I'm Josh Long, and I work on the Spring team. I'm excited to be keynoting and giving a talk at Microsoft's JDConf this year. I'm a Kotlin GDE and a Java Champion, and I'm of the opinion.....
6.9AI Score
A Close Up Look at the Consumer Data Broker Radaris
If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the...
6.6AI Score
Fedora: Security Advisory for rsyntaxtextarea (FEDORA-2024-129d8ca6fc)
The remote host is missing an update for...
7AI Score
0.0004EPSS
[SECURITY] Fedora 40 Update: rsyntaxtextarea-3.1.3-11.fc40
RSyntaxTextArea is a customizable, syntax highlighting text component for Java Swing applications. Out of the box, it supports syntax highlighting for 40+ programming languages, code folding, search and replace, and has add-on libraries for code completion and spell checking. Syntax highlighting...
9.1AI Score
0.0004EPSS
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a...
4.9CVSS
6.5AI Score
0.0004EPSS
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a...
4.9CVSS
6.7AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 26, 2024 to March 3, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 121 vulnerabilities disclosed in 88...
9.8CVSS
9.6AI Score
0.001EPSS
The 3 most common post-compromise tactics on network infrastructure
We've been discussing networking devices quite a lot recently and how Advanced Persistent Threat actors (APTs) are using highly sophisticated tactics to target aging infrastructure for espionage purposes. Some of these attacks are also likely prepositioning the APTs for future disruptive or...
8.3AI Score
Living off the land with native SSH and split tunnelling
TL;DR Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is common The attack only needs minimal set-up and commands Quicker and more cost effective for an attacker than using C2 infrastructure Reduces likelihood of Blue team detection ...
7.6AI Score
Amazon Linux 2 : containerd (ALASECS-2024-035)
The version of containerd installed on the remote host is prior to 1.7.11-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2024-035 advisory. A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server...
7.5CVSS
7.5AI Score
0.002EPSS
Summary Node.js module undici is used by IBM App Connect Enterprise Certified Container for communicating with Box in the Box connector. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run flows using the Box connector are vulnerable to loss of....
3.9CVSS
5.8AI Score
0.0004EPSS
Researchers have demonstrated a worm that spreads through prompt injection. Details: In one instance, the researchers, acting as attackers, wrote an email including the adversarial text prompt, which "poisons" the database of an email assistant using retrieval-augmented generation (RAG), a way...
7.2AI Score
openSUSE: Security Advisory for opera (openSUSE-SU-2023:0066-1)
The remote host is missing an update for...
8.8CVSS
9.1AI Score
0.003EPSS
openSUSE: Security Advisory for opera (openSUSE-SU-2022:10109-1)
The remote host is missing an update for...
8.8CVSS
8.1AI Score
0.045EPSS
openSUSE: Security Advisory for cacti, cacti (openSUSE-SU-2024:0031-1)
The remote host is missing an update for...
8.8CVSS
6.4AI Score
0.001EPSS
openSUSE: Security Advisory for opera (openSUSE-SU-2024:0053-1)
The remote host is missing an update for...
9.8CVSS
8.8AI Score
0.001EPSS
openSUSE: Security Advisory for MozillaFirefox (SUSE-SU-2024:0607-1)
The remote host is missing an update for...
9AI Score
0.0004EPSS
openSUSE: Security Advisory for opera (openSUSE-SU-2023:0251-1)
The remote host is missing an update for...
8.8CVSS
7.7AI Score
0.004EPSS
PikaBot malware on the rise: What organizations need to know
A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot. A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the infamous QakBot (QBot) trojan that was shut down in August 2023. QBot was used by many ransomware gangs in....
7.8AI Score
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 83 vulnerabilities disclosed in 57 WordPress.....
9.8CVSS
9.6AI Score
0.001EPSS
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to...
6.4CVSS
5.7AI Score
0.0004EPSS
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to...
6.4CVSS
6AI Score
0.0004EPSS
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to...
6.4CVSS
6.1AI Score
0.0004EPSS
The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Settings user profile fields in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level...
6.4CVSS
6.1AI Score
0.0004EPSS
Imperva Customers are Protected Against New SQL Injection Vulnerability in WordPress Plugin
A critical security flaw, identified as CVE-2024-1071, was discovered in the Ultimate Member plugin for WordPress, affecting over 200,000 active installations. This vulnerability has a high severity CVSS score of 9.8 and allows for SQL injection via the 'sorting' parameter due to insufficient...
9.8CVSS
8.8AI Score
0.001EPSS
Security Advisory 0093 _._CSAF PDF Date: February 28, 2024 Revision | Date | Changes ---|---|--- 1.0 | February 28, 2024 | Initial release The CVE-ID tracking this issue: CVE-2024-27889 CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Common Weakness Enumeration: CWE-89:...
8.8CVSS
9.3AI Score
0.001EPSS
Profile Box Shortcode And Widget < 1.2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.7AI Score
0.0004EPSS
7.4AI Score
7.4AI Score
MikroTik RouterOS Uncontrolled Resource Consumption (CVE-2018-5951)
An issue was discovered in Mikrotik RouterOS. Crafting a packet that has a size of 1 byte and sending it to an IPv6 address of a RouterOS box with IP Protocol 97 will cause RouterOS to reboot imminently. All versions of RouterOS that supports EoIPv6 are vulnerable to this attack. This plugin only.....
7.5CVSS
7.5AI Score
0.001EPSS
Profile Box Shortcode And Widget < 1.2.1 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC When creating a new widget,...
5.3AI Score
0.0004EPSS
A Comprehensive Assessment of the General Personal Data Protection Law (LGPD)
Most nations need to protect sensitive data for any number of reasons. Assuring legal compliance, protecting national security, preventing abuse and prejudice, improving global competitiveness, and upholding ethical standards are all vital requirements. Data privacy enhances the safety, security,.....
6.9AI Score
Summary A cross-site scripting vulnerability in jQuery UI used by IBM InfoSphere Information Server was addressed. Vulnerability Details ** CVEID: CVE-2022-31160 DESCRIPTION: **jQuery UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the...
6.1CVSS
6.6AI Score
0.002EPSS
8.9AI Score
0.0004EPSS
7.4AI Score
TruRisk™️ Insights – The Story Behind a TruRisk Score
In the world of cloud and SaaS security, where risks arise not only from vulnerabilities but also from misconfigurations and various threats, the task of prioritizing and managing them becomes increasingly complex. It's not just about identifying vulnerabilities; it's also crucial to recognize and....
7.7AI Score
TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem
When we talk about the term "fake news," most people likely picture a certain person who made the term infamous. And when we talk about misinformation and disinformation, many will remember the "Russian troll farms" that popped up during the 2016 U.S. presidential election and were unmasked and...
6.9AI Score
Imperva successfully defends against CVE-2024-25600 in WordPress Bricks Builder
A critical vulnerability in the Bricks Builder site builder for WordPress, identified as CVE-2024-25600, is currently under active exploitation, and poses a significant threat to over 25,000 sites. This flaw, with a CVSS score of 9.8, is an unauthenticated remote code execution vulnerability that.....
8.7AI Score
0.001EPSS
8.9AI Score
0.0004EPSS
View transitions: Handling aspect ratio changes
This post assumes some knowledge of view transitions. If you're looking for a from-scratch intro to the feature, see this article. When folks ask me for help with view transition animations that "don't quite look right", it's usually because the content changes aspect ratio. Here's how to handle...
7.4AI Score
Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
7.3AI Score
0.0004EPSS
Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC 1. Create a new Facebook like...
7.2AI Score
0.0004EPSS
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to...
6.4CVSS
5.8AI Score
0.0004EPSS
November 14, 2023—KB5032190 (OS Builds 22621.2715 and 22631.2715)
November 14, 2023—KB5032190 (OS Builds 22621.2715 and 22631.2715) UPDATED 2/27/24 IMPORTANT: New dates for the end of non-security updates for Windows 11, version 22H2The new end date is June 24, 2025 for Windows 11, version 22H2 Enterprise, Education, IoT Enterprise, and Enterprise multi-session.....
9.8CVSS
8.2AI Score
0.57EPSS
ProfilePress < 4.15.0 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its edit-profile-text-box shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
5.7AI Score
0.0004EPSS
Fedora 39 : caddy (2024-22b915e51a)
The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22b915e51a advisory. OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels http.user_agent and...
7.5CVSS
7.2AI Score
0.001EPSS
9.8CVSS
7.2AI Score
0.006EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 95 vulnerabilities disclosed in 65...
10CVSS
9AI Score
0.154EPSS