CVE-2023-1282

The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the...

CVE-2023-1282

The CVE-2023-1282 entry affects the WordPress plugins “Drag and Drop Multiple File Upload PRO – Contact Form 7 Standard” (before 2.11.1) and “Drag and Drop Multiple File Upload PRO – Contact Form 7 with Remote Storage Integrations” (before 5.0.6.4). Root cause: both plugins do not sanitize/escape...

ChatGPT Security: OpenAI's Bug Bounty Program Offers Up to $20,000 Prizes

OpenAI, the company behind the massively popular ChatGPT AI chatbot, has launched a bug bounty program in an attempt to ensure its systems are "safe and secure." To that end, it has partnered with the crowdsourced security platform Bugcrowd for independent researchers to report vulnerabilities...

Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins. PoC Visit the following path on the site as an admin user:...

Atlassian Jira Service Desk 4.8.1 < 4.12.0 Information Disclosure In API and Integrations

According to its self-reported version number, the Atlassian Jira Service Desk application running on the remote host is version 4.8.x prior to 4.12.0. It is, therefore, affected by a flaw which may permit a remote attacker authenticated as a non-administrator user to view Project Request-Types a...

Atlassian Jira Service Desk 4.7.1 < 4.10.0 Cross-Site Scripting In API and Integrations

According to its self-reported version number, the Atlassian Jira Service Desk application running on the remote host is version 4.7.x prior to 4.10.0. It is, therefore, affected by a flaw which may permit a remote attacker to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS...

Amplifying Power to Customer Through Ecosystem Integrations

Transformation to a SaaS-based cybersecurity vendor...

Virtuozzo Hybrid Infrastructure 5.4 (5.4.0-133)

In this release, Virtuozzo Hybrid Infrastructure provides a range of new features that cover compute services, management node high availability, monitoring and alerts, and the user interface. Additionally, this release delivers stability improvements and addresses issues found in previous...

Introducing Enterprise TruRisk Management from Qualys

Since the release of Qualys VMDR 2.0 with TruRisk last year, our customers have quickly adopted it to perform cyber risk assessments across the entire enterprise. With detail-rich cyber risk visualization, customers can now pinpoint the areas of their business exposed to elevated levels of cyber...

Spring Modulith 0.3 released

Hot on the heels of Spring Boot 3.0.2, I am excited to announce the 0.3 release of Spring Modulith. The release is packed with improvements. We have tweaked a couple of things that might require your attention and a couple of adapting changes to your code. The most notable changes are: GH-114 – W...

Hackers Breach Okta's GitHub Repositories, Steal Source Code

Okta, a company that provides identity and access management services, disclosed on Wednesday that some of its source code repositories were accessed in an unauthorized manner earlier this month. "There is no impact to any customers, including any HIPAA, FedRAMP, or DoD customers," the company sa...

Security Bulletin: IBM Tivoli Netcool/OMNIbus Probe and Integrations Library are affected by vulnerabilities in FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003)

Summary FasterXML jackson-databind is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library and Probe for Microsoft Exchange Web Services. The latest patches include FasterXML jackson-databind 2.13.4.2 that fixes the vulnerabilities. CVE-2022-42004, CVE-2022-42003...

Unifying Threat Findings to Elevate Your Runtime Cloud Security

The widespread growth in cloud adoption in recent years has given businesses across all industries the ability to transform and scale in ways never before possible. However, the speed of those changes, combined with the drastically increased volume and complexity of resources in cloud environment...

CVE-2022-39349 Tasks.org vulnerable to data exfiltration by malicous app or adb

The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity ShareLinkActivity.kt to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachment...

A Bootiful Podcast: Dr. Kris De Volder on Spring Tools, VS Code, and so much more

Hi, Spring fans! In this episode Josh Long @starbuxman talks to Dr. Kris De Volder, a longtime member of the Spring Tools team, about all the cool stuff hes worked on and is going to work on. And then we get knee deep into a discussion around building IDE integrations...

Microsoft is committed to the success of Java developers

Hi, Spring fans! This is a guest post from our friend Julia Liuson, President, Developer Division, Microsoft As a company, we are committed to making Java developers as efficient and productive as possible. This commitment means empowering you to use any tool, framework, and application server on...

Know Your ServiceNow and Qualys Integrations

If you are a current ServiceNow customer interested in cybersecurity, this blog is for you. If you are a Qualys customer who also uses ServiceNow, this blog is for you too. ServiceNow and Qualys have enjoyed a multi-year partnership, being two of the premier SaaS vendors covering the IT and...

[SECURITY] Fedora 36 Update: golang-github-prometheus-alertmanager-0.23.0-9.fc36

The Alertmanager handles alerts sent by client applications such as the Prometheus server. It takes care of deduplicating, grouping, and routing them to the correct receiver integrations such as email, PagerDuty, or OpsGenie. It a lso takes care of silencing and inhibition of alerts...

Total supply can be incorrect in ERC20

Lines of code Vulnerability details Impact totalSupply can be initialized to something different than 0, which would lead to an inaccurate total supply, and could easily break integrations, computations of market cap, etc. Proof of Concept If the constructor is called with initialSupply = 1000, t...

MAL-2022-2393 Malicious code in deep-integrations (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 701fc1ba4b0344605c351e6ee31de481a9b83be3551900d9a182a5e220388401 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...