Emlog 跨站脚本漏洞

emlog is a PHP and MySQL based blog and CMS builder. A cross-site scripting vulnerability exists in emlog version 6.0.0. The vulnerability can be exploited to execute arbitrary code by adding a specially crafted script as a link to a new blog post...

WhatsApp’s New Privacy Policy Just Kicked In

Instead of a hard cutoff, the messaging app will gradually degrade and eventually cease to function if you don’t accept the changes...

Friday Squid Blogging: Far Side Squid Comic

A classic. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Kk Star Ratings 跨站脚本漏洞

kk-star-ratings is an application. Used to allow blog visitors to engage and interact with your site by rating posts. A cross-site scripting vulnerability exists in the Kk Star Ratings plugin prior to version 4.1.5...

Shining a Light on DARKSIDE Ransomware Operations

Update May 14: Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers, and wou...

Catfish Blog V3.9.0 File Upload Vulnerability in Backend

Catfish Blog is an open source free PHP blog. A file upload vulnerability exists in the backend of Catfish Blog V3.9.0, which can be exploited by an attacker to gain control of the server...

File upload vulnerability in Catfish Blog V3.9.0 backend (CNVD-2021-37306)

Catfish Blog is an open source free PHP blog. A file upload vulnerability exists in the backend of Catfish Blog V3.9.0, which can be exploited by an attacker to gain control of the server...

Evernote: Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion

Summary: The following endpoint was found to be vulnerable to SSRF : https://www.evernote.com/ro/aHR0cDovLzE2OS4yNTQuMTY5LjI1NC8jdGVzdC5qcw==/-1430533899.js The endpoint take a path in url and retrieve its content. it is supposed to be use on path but it can be used on URL to get access to intern...

Business email compromise campaign targets wide range of orgs with gift card scam

Cybercriminals continue to target businesses to trick recipients into approving payments, transferring funds, or, in this case, purchasing gift cards. This kind of email attack is called business email compromise BEC—a damaging form of phishing designed to gain access to critical business...

Logic Flaw Vulnerability in SpringBoot-Blog

SpringBoot-Blog is a Java blog system . A logic flaw vulnerability exists in SpringBoot-Blog. An attacker can exploit the vulnerability to bypass authentication and obtain sensitive information...

Logic flaw vulnerability in the backend of the mayday blog system

mayday blog system is based on springboot, mybatis, ehcache, thymeleaf, bootstrap to do the blog system , support markdown editor Java blog system . mayday blog system backend there is a logic flaw vulnerability. Attackers can use the vulnerability to bypass authentication and obtain sensitive...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-3092)

Summary IBM WebSphere Application Server is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security...

Friday Squid Blogging: Squid-Shaped Bike Rack

Theres a new squid-shaped bike rack in Ballard, WA. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

We’re Hiring!

Were growing and we need to fill these 5 UK based roles: PHP Full-Stack Developer Pen Testing Consultant Red Team Support Digital Forensic Analyst IT Support Technician You can find all the details here. We think were a good bunch and there are some really good perks. If you have the skills and...

How the FBI Got Into the San Bernardino Shooter’s iPhone

Plus: Russian sanctions, Europe’s SolarWinds fallout, and more of this week’s top security news...

New Book! The Best of TaoSecurity Blog, Volume 4

I've completed the TaoSecurity Blog book series. The new book is The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship. It's available now for Kindle, and I'm working on the print edition. I'm running a 50% off promo on Volumes 1-3 on Kindle through...

CVE-2021-30637

htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php...

Cross site scripting

htmly 2.8.0 allows stored XSS via the blog title, Tagline, or Description to config.html.php...

CVE-2021-33766

creationtimestamp| type| source ---|---|--- 2021-04-13 05:00:00+00:00| seen| https://msrc.microsoft.com/blog/2021/04/april-2021-update-tuesday-packages-now-available/ 2021-08-30 20:48:52+00:00| seen| https://t.me/cibsecurity/28015 2021-08-30 21:16:05+00:00| seen| https://t.me/cKure/6874 2021-08-3...

CVE-2021-30637

CVE-2021-30637 affects htmly 2.8.0, allowing stored XSS via the blog title, Tagline, or Description submitted to config.html.php. The root cause is unescaped user input stored and later reflected, enabling script execution in affected pages. Public writeups and exploits exist (e.g., PacketStorm/E...