A Tiny Blog Took on Big Surveillance in China—and Won

Digging through manuals for security cameras, a group of gearheads found sinister details and ignited a new battle in the US-China tech war...

Malicious Package

Overview fancode-fc-tools is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...

Malicious Package

Overview @miro-site/features-standard-header is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerab...

XiaoBingby TeaCMS 授权问题漏洞

XiaoBingBy TeaCMS is a blog system by xiaobingby personal developer. A security vulnerability exists in XiaoBingby TeaCMS 2.3.3, which stems from an unauthorized access issue in the system that can be exploited by an attacker to elevate privileges via the id and keywords parameters...

Roxy WI 6.1.1.0 Remote Code Execution

ADVISORY INFORMATION Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution RCE via sslcert Upload Date of found: 21 July 2022 Application: Roxy WI .oastify.com;...

GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure Vulnerability

Exploit Title: GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure Version: =10.0.0 and 10.0.2 Author: Nuri Çilengir Vendor Homepage: https://glpi-project.org/ Software Link: https://github.com/glpi-project/glpi Advisory:...

GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin

Exploit Title: GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin Date of found: 11 Jun 2022 Application: GLPI Activity 3.1.0 Author: Nuri Çilengir Vendor Homepage: https://glpi-project.org/ Software Link: https://github.com/InfotelGLPI/activity Advisory:...

GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin

ADVISORY INFORMATION Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin Date of found: 11 Jun 2022 Application: GLPI Manageentities 4.0.2 Author: Nuri Çilengir Vendor Homepage: https://glpi-project.org/ Software Link:...

Friday Squid Blogging: Giant Squid vs. Blue Marlin

Epic matchup. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Trump’s Indictment Marks a Historic Reckoning

A Manhattan grand jury has issued the first-ever indictment of a former US president. Buckle up for whatever happens next...

Shoplazza 1.1 - Stored Cross-Site Scripting Vulnerability

Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting XSS Exploit Author: Andrey Stoykov Software Link: https://github.com/Shoplazza/LifeStyle Version: 1.1 Tested on: Ubuntu 20.04 Stored XSS 1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" - "Manage...

Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)

Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting XSS Exploit Author: Andrey Stoykov Software Link: https://github.com/Shoplazza/LifeStyle Version: 1.1 Tested on: Ubuntu 20.04 Stored XSS 1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" - "Manage...

The Most Common Combosquatting Keyword Is “Support”

...

Bay Area Bank Collapse and the Cybersecurity Impact

Greg Young, VP of Cybersecurity and CorpDev, discusses what the second-largest bank collapse in U.S. history means for cybersecurity...

Cross site request forgery (csrf)

The Ever Compare WordPress plugin through 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

Cross site request forgery (csrf)

The HT Event WordPress plugin before 1.4.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

Cross site request forgery (csrf)

The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

CVE-2023-0499 QuickSwish < 1.1.0 - Arbitrary Plugin Activation via CSRF

The QuickSwish WordPress plugin before 1.1.0 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update

The plugin does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the...

CVE-2023-20027

creationtimestamp| type| source ---|---|--- 2023-03-23 19:36:57+00:00| seen| https://t.me/cibsecurity/60596 2023-03-24 11:20:58+00:00| seen| https://t.me/truesecator/4210 2023-07-03 11:56:00+00:00| seen| https://www.jerrygamblin.com/2023/07/03/2023-first-half-cve-data-review/...