PT-2025-2140 · WordPress · Adifier System

Name of the Vulnerable Software and Affected Versions: Adifier System plugin for WordPress versions up to, and including, 3.1.7 Description: The issue arises from the plugin's failure to properly validate a user's identity before updating their details, such as passwords, through the adifier...

CVE-2024-26147 Helm's Missing YAML Content Leads To Panic

Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an index.yaml file or a plugins plugin.yaml file were missing all metadata a panic would...

SUSE CVE-2010-1633

RSA verification recovery in the EVPPKEYverifyrecover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive...

Not Just for the Government: Using the NIST Framework to Secure WordPress

When setting up a WordPress website, it is easy to focus on the look and feel of the website, while overlooking the important aspect of security. This makes sense, because the security of a website is largely invisible until something goes wrong. Installing a cybersecurity plugin like Wordfence...

PT-2022-33411 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v5.19.3 Description: The issue is related to the btrfs raid56 functionality, specifically in the raid56 parity recover function, where cached sectors are not trusted. The actual impact and attack plausibility ha...

PT-2022-23060

Name of the Vulnerable Software and Affected Versions OpenZeppelin Contracts versions prior to 4.7.3 Description The functions ECDSA.recover and ECDSA.tryRecover are vulnerable to signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature...

Cross-site Scripting (XSS)

org.wso2.carbon.identity.mgt.endpoint.util is vulnerable to cross-site scripting. The vulnerability exists due to the lack of regular expression validation in the localVarPath parameter in the recover function of PasswordRecoveryApiV1.java, allowing an attacker to inject and execute malicious...

lack of validation for the v and s value in recover() funciton

Handle JMukesh Vulnerability details Impact due to lack of checking of v and s value in recover it become prone to signature malleability Proof of Concept check out the tryRecover of ECDSA.sol Tools Used manual reveiw Recommended Mitigation Steps add necessary check to make the signature unique -...