DRUPAL-CONTRIB-2021-038

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-en...

The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...

The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view. The vulnerability is mitigated by the fact that it can on...

The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-en...

WordPress WP Mega Menu plugin <= 1.3.9 - Arbitrary Post Access vulnerability

Arbitrary Post Access vulnerability discovered by WPScanTeam in WordPress WP Mega Menu plugin versions = 1.3.9. Solution Update the WordPress WP Mega Menu plugin to the latest available version at least 1.4.0...

WordPress WP Mega Menu plugin <= 1.4.0 - Arbitrary Post Access vulnerability

Arbitrary Post Access vulnerability discovered by WPScanTeam in WordPress WP Mega Menu plugin versions = 1.4.0. Solution Update the WordPress WP Mega Menu plugin to the latest available version at least 1.4.1...

WP Mega Menu < 1.4.1 - Subscriber+ Arbitrary Post Access

The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked as AJAX actions and available to any authenticated users. As a result, low privilege authenticated users such as subscribers can call them and access...

WP Mega Menu < 1.4.0 - Unauthenticated Arbitrary Post Access

The plugin does not properly check for capability and CSRF due to a logic flaw, in its exporttheme and exportwpmegamenunavmenu methods, hooked to admininit. As a result, unauthenticated users can call them and access arbitrary post data, including password protected or private ones. PoC Access an...

CNA legal filings lift the curtain on a Phoenix CryptoLocker ransomware attack

Two months after fully restoring its systems, CNA Financial, the leading US insurance company that was attacked by a group using Phoenix CryptoLocker ransomware, issued a legal notice of an information security incident to the Consumer Protection Bureau in New Hampshire. You may recall that Phoen...

CVE-2021-24342

The JNews WordPress theme before 8.0.6 did not sanitise the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory, leading to a Reflected Cross-Site Scripting XSS issue...

OESA-2021-1191 qemu security update

QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. Security Fixes: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein...

WordPress HT Mega Absolute Addons for Elementor Cross-Site Scripting Vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . A security vulnerability exists in WordPress HT Mega...

Rapid7 Releases New Industry Cyber-Exposure Report (ICER): ASX 200

Today, we are excited to release the third report in our Industry Cyber-Exposure Report ICER series, which digs into cyber-exposure among organizations in Australia’s ASX 200. This series focuses on five key areas we believe CISOs at mega-corporations actually have a shot at accomplishing, and wi...

CVE-2021-24261

The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...

CVE-2021-24261

The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...

Cross site scripting

The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...

CVE-2021-24261

CVE-2021-24261 affects WordPress HT Mega – Absolute Addons for Elementor Page Builder prior to 1.5.7 . Public sources describe stored XSS in multiple widgets (for example, htmega_call_to_action, htmega_section_title, htmega_accordion, and related fields) that can be exploited by lower-privileged ...

Elementor 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL servers to set up a personal blog site.WordPress Plugin is a WordPress open source application plugin . A security vulnerability exists in WordPress HT Mega...

WordPress HT Mega plugin <= 1.5.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Authenticated Stored Cross-Site Scripting XSS vulnerabilities discovered by WordFence in WordPress HT Mega plugin versions = 1.5.5. Solution Update the WordPress HT Mega plugin to the latest available version at least 1.5.7...

HT Mega - Absolute Addons for Elementor Page Builder < 1.5.7 - Contributor+ Stored XSS

The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method. The “htmegacalltoaction” widget accepts a...