CVE-2021-36748

A SQL Injection issue in the list controller of the Prestahome Blog aka phsimpleblog module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sbcategory parameter...

CVE-2021-36748

A SQL Injection issue in the list controller of the Prestahome Blog aka phsimpleblog module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sbcategory parameter...

Sql injection

A SQL Injection issue in the list controller of the Prestahome Blog aka phsimpleblog module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sbcategory parameter...

CVE-2021-36748

A SQL Injection issue in the list controller of the Prestahome Blog aka phsimpleblog module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sbcategory parameter...

CVE-2021-36748

PrestaHome Blog (ph_simpleblog) for PrestaShop before version 1.7.8 is vulnerable to a SQL injection (blind) via the sb_category parameter in the list controller. Exploitation could allow an attacker to extract data from the database. The issue is corroborated by multiple sources, including a ded...

Print My Blog < 3.4.2 - Plugin Deactivation via CSRF

The plugin does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link PoC...

CISA Releases Security Advisory for ThroughTek Kalay P2P SDK

CISA has released an Industrial Control Systems ICS advisory detailing a vulnerability affecting several versions of ThroughTek Kalay P2P Software Development Kit SDK. A remote attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrator...

The NYPD Had a Secret Fund for Surveillance Tools

Documents reveal that police bought facial-recognition software, vans equipped with x-ray machines, and “stingray” cell site simulators—with no public oversight...

Cross Site Scripting (XSS)

intelliants/subrion is vulnerable to cross-site scripting. An attacker is able to inject and execute a malicious script by adding a blog and then editing an image file...

Friday Squid Blogging: Squid Dog Toy

Its sold out, but the pictures are cute. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

CVE-2020-22392

Cross Site Scripting XSS vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file...

Cross site scripting

Cross Site Scripting XSS vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file...

CVE-2020-22392

CVE-2020-22392 corresponds to a Cross Site Scripting (XSS) vulnerability in Subrion CMS 4.2.2, specifically exposed when adding a blog and then editing an image file. The connected documents confirm the affected product/version and the vulnerable action, but do not provide technical details about...

CVE-2020-22392

Cross Site Scripting XSS vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file...

Threat Source newsletter (Aug. 5, 2021)

Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers. We hope everyone is enjoying BlackHat and/or DEFCON this week, regardless of if you're attending virtually or in person. In case you missed any of our talks from BlackHat, you can check them out here, along... This is only the...

2021 年 MSRC 最優秀セキュリティ研究者の表彰

本記事は「Congratulations to the MSRC 2021 Most Valuable Security Researchers!」の日本語抄訳です。 MSRC...

Subrion CMS 跨站脚本漏洞

Subrion CMS is a PHP-based content management system CMS from the Subrion team. The system can be integrated into websites and supports a variety of extensions plug-ins and more. A security vulnerability exists in Subrion CMS that stems from a cross-site scripting vulnerability when adding a blog...

LY Corporation: Access to images and videos in drafts on LINE BLOG

On LINE BLOG, sequential ID is assigned to each image/video when uploaded, and the ID is converted to actual URL on preview/publish. Due to the bug in the attachment ownership verification process, it could be possible for an attacker to view unpublished images/videos in other users' drafts by...

Congratulations to the MSRC 2021 Most Valuable Security Researchers!

The MSRC Researcher Recognition Program offers public thanks and acknowledgement to the researchers who help protect customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuable Security...

Doldrums - A Flutter/Dart Reverse Engineering Tool

To flutter: to move in quick, irregular motions, to beat rapidly, to be agitated. Doldrums: a period of stagnation. Doldrums is a reverse engineering tool for Flutter apps targetting Android. Concretely, it is a parser and information extractor for the Flutter/Dart Android binary, conventionally...