The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload...
5.4CVSS
5.3AI Score
0.001EPSS
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. PoC Put the following payload in the QR setting: "> The XSS will be triggered in the plugin's settin...
5.4CVSS
3.4AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) discovered by 听雨眠 in WordPress Wechat Reward plugin (versions <= 1.7). Solution Deactivate and delete. This plugin has been closed as of August 10, 2021 and is not available for download. Reason: Security...
5.4CVSS
2.6AI Score
0.001EPSS
Wechat Reward <= 1.7 - CSRF to Stored Cross-Site Scripting
The plugin does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting...
5.4CVSS
-0.1AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin
Description Stored XSS Content allows for the arbitrary execution of JavaScript # Proof of Concept ``` In Wechat management at feature - Reply rule management - Follow reply configuration - Default reply configuration - Follow automatic replies Save Reply text with payload : \x3csVg/\x3e XSS...
2.1AI Score
YAxisVotePower.balanceOf can be manipulated
Handle cmichel Vulnerability details The YAxisVotePower.balanceOf contract uses the Uniswap pool reserves to compute a _lpStakingYax reward: (uint256 _yaxReserves,,) = yaxisEthUniswapV2Pair.getReserves(); int256 _lpStakingYax = _yaxReserves .mul(_stakeAmount) .div(_supply) ...
6.8AI Score
8.8CVSS
7.4AI Score
0.969EPSS
The Rise of Disruptive Ransomware Attacks: A Call To Action
Our collective use of and dependence on technology has come quite a long way since 1989. That year, the first documented ransomware attack — the AIDS Trojan — was spread via physical media (5 1⁄4" floppy disks) delivered by the postal service to individuals subscribed to a mailing list. The...
7.4AI Score
A vulnerability affecting F-Secure Antivirus engine was discovered whereby scanning WIM archive file can lead to denial-of-service (infinite loop and freezes AV engine scanner). The vulnerability can be exploit remotely by an attacker. A successful attack will result in Denial-of-Service of the...
5.5CVSS
0.001EPSS
A vulnerability affecting F-Secure Antivirus engine was discovered whereby scanning WIM archive file can lead to denial-of-service (infinite loop and freezes AV engine scanner). The vulnerability can be exploit remotely by an attacker. A successful attack will result in Denial-of-Service of the...
5.5CVSS
5.5AI Score
0.001EPSS
A vulnerability affecting F-Secure Antivirus engine was discovered whereby scanning WIM archive file can lead to denial-of-service (infinite loop and freezes AV engine scanner). The vulnerability can be exploit remotely by an attacker. A successful attack will result in Denial-of-Service of the...
5.5CVSS
5.5AI Score
0.001EPSS
CVE-2021-33599 Denial-of-Service (DoS) Vulnerability
A vulnerability affecting F-Secure Antivirus engine was discovered whereby scanning WIM archive file can lead to denial-of-service (infinite loop and freezes AV engine scanner). The vulnerability can be exploit remotely by an attacker. A successful attack will result in Denial-of-Service of the...
4.6CVSS
5.7AI Score
0.001EPSS
9.8CVSS
8.5AI Score
0.974EPSS
Microsoft Edge for Android信息泄露漏洞
Microsoft Edge for Android is a web browser for Android from Microsoft Corporation (USA). The vulnerability is caused by errors in the configuration of the network system or product during operation, which can be exploited by attackers to obtain sensitive...
5.9CVSS
3.9AI Score
0.001EPSS
Brute-Force Attacks Target Inboxes for Gift Card Data
Threat actors are compromising up to 100,000 inboxes daily in a campaign that targets gift card and customer-loyalty program data in hopes of reselling it or cashing in on freebies, a security researcher has found. The actors behind the scam—outlined in a post by Brian Krebs on Krebs on...
-0.3AI Score
SQL injection vulnerability exists in Tongda OA (CNVD-2021-73171)
OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co. There is a SQL injection vulnerability in Tongda OA, attackers can use the vulnerability to obtain sensitive information in the...
3.5AI Score
Guangdong Agricultural Credit Weixin public number has a logic flaw vulnerability
Guangdong Farm Credit WeChat Public Number is the official WeChat public number of Guangdong Rural Credit Union, mainly promoting the financial services and reform and development achievements of the provincial federation and the province's agricultural commercial banks (agricultural credit...
2.2AI Score
SQL injection vulnerability exists in Gridview of Dawning Information Industry Co.
Gridview is an integrated high-performance computing platform comprehensive management system. There is a SQL injection vulnerability in Gridview, which can be exploited by attackers to obtain sensitive database...
5.1AI Score
A Denial-of-Service (DoS) vulnerability was discovered in all versions of F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service....
6.5CVSS
0.001EPSS
A Denial-of-Service (DoS) vulnerability was discovered in all versions of F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service....
6.5CVSS
6.4AI Score
0.001EPSS
A Denial-of-Service (DoS) vulnerability was discovered in all versions of F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service....
6.5CVSS
6.4AI Score
0.001EPSS
CVE-2021-33598 Denial-of-Service (DoS) Vulnerability
A Denial-of-Service (DoS) vulnerability was discovered in all versions of F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service....
4.6CVSS
6.7AI Score
0.001EPSS
Exploit for Allocation of Resources Without Limits or Throttling in Helpsystems Cobalt Strike
CVE-2021-36798 CVE-2021-36798 Cobalt Strike < 4.3 dos ...
7.5CVSS
7.5AI Score
0.003EPSS
Malicious Ads Target Cryptocurrency Users With Cinobi Banking Trojan
A new social engineering-based malvertising campaign targeting Japan has been found to deliver a malicious application that deploys a banking trojan on compromised Windows machines to steal credentials associated with cryptocurrency accounts. The application masquerades as an animated porn game, a....
0.6AI Score
8.8CVSS
7.9AI Score
0.917EPSS
Rewards accumaulated can stay constant and oftern not increment
Handle moose-code Vulnerability details Impact rewardsPerToken_.accumulated can stay constant while rewardsPerToken_.lastUpdated is continually updated, leading to no actual rewards being distributed. I.e. No rewards accumulate. Proof of Concept Line 115, rewardsPerToken_.accumulated could stay...
6.9AI Score
WeChat public backend system has XSS vulnerability
WeChat public number belongs to Tencent, which is an application account applied by developers or merchants on the WeChat public platform. The account is interoperable with QQ accounts, and the platform enables all-round communication and interaction with specific groups of people in text,...
3.2AI Score
ERC20Rewards.sol: Consider making rewardsToken immutable
Handle hickuphh3 Vulnerability details Impact While it might seem like a good feature to have, being able to switch reward tokens will only be useful for tokens which are equivalent in value (probably stablecoins, pegged tokens) since it carries over unclaimed rewards from the previous reward...
6.9AI Score
Rewards squatting - setting rewards in different ERC20 tokens opens various economic attacks.
Handle moose-code Vulnerability details Impact Users have essentially have an option to either claim currently earned reward amounts on future rewards tokens, or the current rewards token. Although stated on line 84, it does not take into account the implications and lock in this contract will...
6.7AI Score
ERC20Rewards returns wrong rewards if no tokens initially exist
Handle cmichel Vulnerability details The ERC20Rewards.updateRewardsPerToken function exits without updating rewardsPerToken.lastUpdated if totalSupply is zero, i.e., if there are no tokens initially. This leads to an error if there is an active rewards period but not tokens have been minted yet....
6.8AI Score
ERC20Rewards breaks when setting a different token
Handle cmichel Vulnerability details The setRewards function allows setting a different token. Holders of a previous reward period cannot all be paid out and will receive their old reward amount in the new token. This leads to issues when the new token is more (less) valuable, or uses different...
7AI Score
Friends Reunion Anchors Video Swindle
The second quarter saw a rise in entertainment lures for fraud and phishing, including one campaign capitalizing on the buzz around “Friends: The Reunion.” Researchers at Kaspersky found fake sites supposedly hosting video for the much-anticipated special episode of the popular sitcom, according...
0.6AI Score
A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address...
3.5CVSS
4.1AI Score
0.001EPSS
A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address...
3.5CVSS
0.001EPSS
An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A...
3.5CVSS
0.001EPSS
An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A...
3.5CVSS
4.2AI Score
0.001EPSS
A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address...
3.5CVSS
4.1AI Score
0.001EPSS
An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A...
3.5CVSS
4.1AI Score
0.001EPSS
CVE-2021-33594 F-Secure Safe browser for Android vulnerable to Address Bar Spoofing
An address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A...
3.5CVSS
4.3AI Score
0.001EPSS
CVE-2021-33595 F-Secure Safe browser for iOS vulnerable to Address Bar Spoofing
A address bar spoofing vulnerability was discovered in Safe Browser for iOS. Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. A remote attacker can leverage this to perform address...
3.5CVSS
4.3AI Score
0.001EPSS
Jeecms background exists arbitrary file download vulnerability
jeecms is a content management system developed by Jiangxi Jinlei Technology Development Co., Ltd. that supports WeChat applets, WeChat public/service numbers, column models, content model cross-customization, and content e-commerce with payment and financial settlement. jeecms background exists...
4.4AI Score
Denial of Service in cortezaproject/corteza-server
You can put a very long login email text until you get the last user to put and aries or [DoS]. Normally emails have 64 to 225 digits. Summary There is no limit to the number of characters in the login email, which allows a DoS attack. The DoS attack affects both server-side and client-side. NOTE:....
1.5AI Score
BlackShield Network Security Audit System has a weak password vulnerability
Fujian Strait Information Technology Co., Ltd. is a state-controlled high-tech enterprise, specializing in technical research, product sales, information security services and other businesses in the field of network security technology. There is a weak password vulnerability in the BlackShield...
2.7AI Score
Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. Exploiting the vulnerability requires the user to click on a specially crafted, seemingly legitimate URL containing an embedded...
4.1CVSS
0.001EPSS
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the...
5.5CVSS
5.5AI Score
0.001EPSS
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the...
5.5CVSS
0.001EPSS
Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. Exploiting the vulnerability requires the user to click on a specially crafted, seemingly legitimate URL containing an embedded...
4.1CVSS
4.4AI Score
0.001EPSS
Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. Exploiting the vulnerability requires the user to click on a specially crafted, seemingly legitimate URL containing an embedded...
4.1CVSS
4.5AI Score
0.001EPSS
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the...
5.5CVSS
5.5AI Score
0.001EPSS
CVE-2021-33597 Denial-of-Service (DoS) Vulnerability
A Denial-of-Service (DoS) vulnerability was discovered in F-Secure Atlant whereby the SAVAPI component used in certain F-Secure products can crash while scanning fuzzed files. The exploit can be triggered remotely by an attacker. A successful attack will result in Denial-of-Service (DoS) of the...
3.5CVSS
5.8AI Score
0.001EPSS