5M WordPress Sites Running 'Contact Form 7' Plugin Open to Attack

A patch for the popular WordPress plugin called Contact Form 7 was released Thursday. It fixes a critical bug that allows an unauthenticated adversary to takeover a website running the plugin or possibly hijack the entire server hosting the site. The patch comes in the form of a 5.3.2 version...

CVE-2019-14478

AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting XSS vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScrip...

Cross site scripting

AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting XSS vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScrip...

CVE-2019-14478

AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting XSS vulnerability in the NetCrunch web client. The user's input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScrip...

Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome

A Mozilla Foundation update to the Firefox web browser, released Tuesday, tackles one critical vulnerability and a handful of high-severity bugs. The update, released as Firefox version 84, is also billed by Mozilla as boosting the browser’s performance and adding native support for macOS hardwar...

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox in that if a user downloads a file without an extension on Windows, and then "opens" it in the download panel, the executable will be launched if the...

SoReL-20M: A Huge Dataset of 20 Million Malware Samples Released Online

Cybersecurity firms Sophos and ReversingLabs on Monday jointly released the first-ever production-scale malware research dataset to be made available to the general public that aims to build effective defenses and drive industry-wide improvements in security detection and response. "SoReL-20M"...

Russian APT28 Hackers Using COVID-19 as Bait to Deliver Zebrocy Malware

A Russian threat actor known for its malware campaigns has reappeared in the threat landscape with yet another attack leveraging COVID-19 as phishing lures, once again indicating how adversaries are adept at repurposing the current world events to their advantage. Linking the operation to a...

CVE-2020-26233

GCM Core on Windows is affected by CVE-2020-26233 prior to 2.0.289. When recursively cloning a repo with submodules, Git Credential Manager Core may start a malicious git.exe in the top-level repository instead of the PATH git when reading configuration, potentially enabling code execution. The i...

Git SQL Injection Vulnerability

Git is a free, open source distributed version control system. A SQL injection vulnerability exists in Git Credential Manager Core, where if a malicious git.exe executable is present in the top-level repository, the binary will be launched by Git Credential Manager Core when attempting to read th...

Arbitrary Code Execution

binutils is vulnerable to arbitrary code execution. The bfdXXiswapaouthdrin function in bfd/peXXigen.c allows remote attackers to cause a denial of service out-of-bounds write via a malicious NumberOfRvaAndSizes field in the AOUT header in a PE executable...

Sandbox Escape

In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 aka Quake 3 engine forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as...

Western Digital My Cloud Multiple Products 5.0 < 5.06.115 Multiple Vulnerabilities

Multiple Western Digital My Cloud products are prone to multiple vulnerabilities. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This progr...

CVE-2020-8539

Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker t...

Input validation

Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker t...

Apache OpenOffice Code Execution Vulnerability

Apache OpenOffice is the United States Apache Apache Software Foundation of an open source office software suite. The suite contains text documents, spreadsheets, presentations, drawings, databases and so on. Apache OpenOffice has a code execution vulnerability that can be exploited by an attacke...

VulnCheck KEV: CVE-2015-7571

Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension...

Easy Registration Forms <= 2.0.6 - CSV Injection

Easy Registration Forms ER Forms Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable...

Enable mitigations for CVE-2018-12207

Depending on your hardware, your Citrix Hypervisor or XenServer installation may be affected by the security issue with the identifierCVE-2018-12207. Citrix provides the following hotfixes to mitigate this issue: XS70E075, XS71ECU2024, XS76E012,XS80E008. For more information, seeCitrix Hypervisor...

CVE-2020-12510

The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for...