Quiz And Survey Master < 7.1.14 - Authenticated SQL injection via Rest API

While confirming https://wpscan.com/vulnerability/3b52b25c-82a1-41c7-83ac-92e244f7c5ab, another SQLi issue was identified and reported. The qsmrestgetbankquestions function in the php/rest-api.php file did not property sanitise and escape the category parameter before using it in SQL statements...

Active Exploits Hit WordPress Sites Vulnerable to Thrive Themes Flaws

Attackers are actively exploiting two recently-patched vulnerabilities in a popular suite of tools for WordPress websites from marketing platform Thrive Themes. Thrive Themes offers various products to help WordPress websites “convert visitors into leads and customers.” Its suite of products,...

Kraker - Distributed Password Brute-Force System That Focused On Easy Use

Kraker is a distributed password brute-force system that allows you to run and manage the hashcat on different servers and workstations, focused on easy of use. There were two main goals during the design and development: to create the most simple tool for distributed hash cracking and make it...

All Thrive Themes and Plugins - Unauthenticated Option Update

The plugins and themes register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty apikey parameter in vulnerable versions if Zapier was not enabled. Attackers coul...

All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion

Thrive “Legacy” themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote...

BuddyPress < 7.2.1 - Force a Friendship

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to force a friendship on behalf of another member, using the BuddyPress REST API buddypress/v1/friends endpoint...

IBM Spectrum Scale Unauthorized Access Vulnerability

IBM Spectrum Scale is a scalable data and file management solution from IBM USA based on IBM GPFS, an enterprise file management system optimized for petabyte-scale storage management. The product supports helping clients reduce storage costs while improving security and management efficiency in...

BuddyPress < 7.2.1 - REST API Privilege Escalation

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a privilege escalation from a regular user to Administrator, using the BuddyPress REST API buddypress/v1/members/me endpoint...

IBM Spectrum Scale Denial of Service Vulnerability (CNVD-2021-20199)

IBM Spectrum Scale is a scalable data and file management solution from IBM USA based on IBM GPFS, an enterprise file management system optimized for petabyte-scale storage management. The product supports helping clients reduce storage costs while improving security and management efficiency in...

BuddyPress < 7.2.1 - Invite Member to Join Group

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to invite another member to join a group without being friends when that group restricted invites to friends only, using BuddyPress Nouveau and the BuddyPress REST API...

BuddyPress < 7.2.1 - Read Private Messages

The BuddyPress WordPress plugin, versions before 7.2.1, fixed a vulnerability that could allow a member to read private messages in a thread they were not invited to, using the BuddyPress REST API buddypress/v1/messages endpoint...

CVE-2020-4890

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973...

CVE-2020-4891

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974...

Code injection

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974...

Code injection

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973...

CVE-2020-4891

CVE-2020-4891 affects IBM Spectrum Scale: versions 5.0.0–5.0.5.5 and 5.1.0–5.1.0.2 expose an improper account lockout setting that could let a local attacker brute‑force REST API credentials. Affected product: IBM Spectrum Scale (GPFS-based). Root cause: inadequate local account lockout configura...

CVE-2020-4891

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974...

CVE-2020-4890

IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absense of rate limiting. IBM X-Force ID: 190973...

CVE-2020-4890

IBM Spectrum Scale vulnerability CVE-2020-4890 affects versions 5.0.0–5.0.5.5 and 5.1.0–5.1.0.2. A local user with a valid REST API role can cause a denial of service due to weak or absent rate limiting on REST API requests. The root cause is insufficient rate-limiting controls; impact is availab...

Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI.

Summary Vulnerabilities exist in all levels of IBM Spectrum Scale GUI. A fix for this vulnerability is available. Vulnerability Details CVEID: CVE-2020-4890 DESCRIPTION: IBM Spectrum Scale could allow a local user with a valid role to the REST API to cause a denial of service due to weak or absen...