Opportunistic Exploitation of Zoho ManageEngine and Sitecore CVEs

Over the weekend of November 6, 2021, Rapid7’s Incident Response IR and Managed Detection and Response MDR teams began seeing opportunistic exploitation of two unrelated CVEs: CVE-2021-40539, a REST API authentication bypass in Zoho’s ManageEngine ADSelfService Plus product that Rapid7 has...

Sql injection

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

CVE-2021-24731 Pie Register < 3.7.1.6 - Unauthenticated SQL Injection

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection...

Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit

At least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a recently patched critical vulnerability in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on SSO solution. The spying...

WordPress SQL注入漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on PHP and MySQL servers. WordPress Plugin Registration Forms â€" User profile, Content Restriction, Spam Protection, Payment Gateways,...

Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability

Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution...

CVE-2021-29737

IBM InfoSphere Data Flow Designer Engine IBM InfoSphere Information Server 11.7 component has improper validation of the REST API server certificate. IBM X-Force ID: 201301...

Input validation

IBM InfoSphere Data Flow Designer Engine IBM InfoSphere Information Server 11.7 component has improper validation of the REST API server certificate. IBM X-Force ID: 201301...

CVE-2021-29737

The CVE-2021-29737 entry relates to IBM InfoSphere Data Flow Designer Engine within IBM InfoSphere Information Server 11.7, which is affected by improper validation of the REST API server certificate. The IBM Security Bulletin and NVD entry confirm the affected component and describe a REST certi...

CVE-2021-29737

IBM InfoSphere Data Flow Designer Engine IBM InfoSphere Information Server 11.7 component has improper validation of the REST API server certificate. IBM X-Force ID: 201301...

IBM InfoSphere DataStage Flow Designer Trust Management Issue Vulnerability

Ibm InfoSphere DataStage Flow Designer is a Web-based data stage flow designer from Ibm, Inc. A security vulnerability exists in Ibm InfoSphere DataStage Flow Designer that stems from an error in the validation of REST API server credentials by the IBM InfoSphere DataStage Flow Designer engine...

CVE-2021-39341 OptinMonster <= 2.6.4 Unprotected REST-API Endpoints

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the loggedinorhasapikey function in the /OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with...

CVE-2021-39341 OptinMonster <= 2.6.4 Unprotected REST-API Endpoints

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the loggedinorhasapikey function in the /OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with...

1,000,000 Sites Affected by OptinMonster Vulnerabilities

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in...

OptinMonster < 2.6.5 - Unprotected REST-API Endpoints

OptinMonster was missing appropriate capability checks on several REST-API endpoints which made it possible for unauthenticated attackers, and in some instances authenticated with low privileges, to perform unauthorized actions, as well as access sensitive information such as the...

WordPress OptinMonster plugin <= 2.6.4 - Unprotected REST-API to Sensitive Information Disclosure and Unauthorized API access vulnerability

Unprotected REST-API to Sensitive Information Disclosure and Unauthorized API access vulnerability discovered by Chloe Chamberland WordFence in WordPress OptinMonster plugin versions = 2.6.4. Solution Update the WordPress OptinMonster plugin to the latest available version at least 2.6.5...

CVE-2021-24677

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

Design/Logic Flaw

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

CVE-2021-24677 Find My Blocks < 3.4.0 - Private Post Titles Disclosure

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

CVE-2021-24677

The CVE concerns the WordPress plugin Find My Blocks prior to version 3.4.0, where the REST API lacks authorization checks. This allows unauthenticated users to enumerate titles of private posts via the plugin’s REST endpoints (e.g., private post title disclosure). Impact is limited to affected s...