Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.

...

WordPress Cookie Information | Free GDPR Consent Solution plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress Cookie Information | Free GDPR Consent Solution plugin prior to version 2.0.8 is vulnerable to A cross-site scripting vulnerability...

WordPress ARI Fancy Lightbox plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. cross-site scripting vulnerability exists in versions of the WordPress ARI Fancy Lightbox plugin prior to 1.3.9, which stems from a...

Hackers Abuse Mitel Devices to Amplify DDoS Attacks by 4 Billion Times

Threat actors have been observed abusing a high-impact reflection/amplification method to stage sustained distributed denial-of-service DDoS attacks for up to 14 hours with a record-breaking amplification ratio of 4,294,967,296 to 1. The attack vector – dubbed TP240PhoneHome CVE-2022-26143 – has...

WordPress Advanced iFrame plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress Advanced iFrame plugin versions prior to 2022 contain a cross-site scripting vulnerability that stems from the plugin's failure to...

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

A new reflection/amplification distributed denial of service DDoS vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks...

Hackers Begin Weaponizing TCP Middlebox Reflection for Amplified DDoS Attacks

Distributed denial-of-service DDoS attacks leveraging a new amplification technique called TCP Middlebox Reflection have been detected for the first time in the wild, six months after the novel attack mechanism was presented in theory. "The attack … abuses vulnerable firewalls and content filteri...

WordPress WP Accessibility Helper plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blogging sites on servers with PHP and MySQL.A cross-site scripting vulnerability exists in versions of the WordPress WP Accessibility Helper plugin prio...

TCP Middlebox Reflection: Coming to a DDoS Near You

Over the past week, Akamai Security Researchers have detected and analyzed a series of TCP reflection attacks, peaking at 11 Gbps at 1.5 Mpps, that were leveled against Akamai customers. The attack, amplified with a technique called TCP Middlebox Reflection, abuses vulnerable firewalls and conten...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions prior to WordPress WP User plugin 7.0. The vulnerability stems...

WordPress Plugin Download Manager SQL Injection Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in the WordPress plugin Download Manager prior to version 3.2.34. The...

WordPress NewStatPress plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions of WordPress NewStatPress plugin prior to 1.3.6. The vulnerabili...

Mageia: Security Advisory (MGASA-2020-0259)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2014-0032)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

WordPress EventCalendar plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports personal blogging sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions of WordPress EventCalendar plugin prior to 1.1.15, which stems from t...

CVE-2021-41256

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally...

Exploit for Cross-site Scripting in Prisma Graphql-Playground-Html

This is a PoC exploit for CVE-2020-4038, an XSS Reflection attack vulnerability in the GraphQL Playground repository. The vulnerability is present in the graphql-playground-html package, which is used by several other packages, including graphql-playground-express, graphql-playground-koa,...

Darwin Factor 跨站脚本漏洞

Darwin Factor is a free and open source next-generation TypeScript framework from Darwin, Inc. Darwin Factor has a cross-site scripting vulnerability that stems from vulnerability to search parameter reflection cross-site scripting XSS attacks in URLs, which can be exploited by unauthenticated...

欣学英资讯 webopac7 跨站脚本漏洞

XinXueYing Info Webopac7 is an online public access catalog of China XinXueYing Info. It is used for users to access library services over the Internet. A cross-site scripting vulnerability exists in XinXueYing Info webopac7, which originates from a book search field parameter that does not...

WordPress Plugin Cross-Site Scripting Vulnerability (CNVD-2021-101469)

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the hosting of personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress plugin WP Header Images version 2.0.1...