39 matches found
EUVD-2021-24802
Malware in sbrugna...
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware
The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm formerly Americium, has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of...
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware
The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm formerly Americium, has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of...
Malicious code in @moneybird/fetlife-assets (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7633e23704682618ad34d6d9becafa2f9c6d5da32087c51596f47fd5401b8099 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-435 Malicious code in @moneybird/fetlife-assets (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7633e23704682618ad34d6d9becafa2f9c6d5da32087c51596f47fd5401b8099 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2021-38349
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
CVE-2021-38349
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
Cross site scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
CVE-2021-38349 Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
CVE-2021-38349 Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...
CVE-2021-38349
The CVE-2021-38349 entry documents a Reflected Cross-Site Scripting vulnerability in the WordPress plugin “Integration of Moneybird for WooCommerce” prior to or including version 2.1.1. The issue stems from the error_description parameter in the file templates/wcmb-admin.php, enabling injection o...
WordPress 插件跨站脚本漏洞
WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress Plugin is an open source application plugin for WordPress. The WorkPress Plugin suffers from a cross-sit...
Integration of Moneybird for WooCommerce <= 2.1.1 - Reflected Cross-Site Scripting
The plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts...
WordPress Integration of Moneybird for WooCommerce plugin <= 2.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Integration of Moneybird for WooCommerce plugin versions = 2.1.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...
Moneybird: No rate Limit
Mailing to our support team using the support center in the application was improperly rate limited. There is now a better rate limiter in place...
Moneybird: Access control issue on invoice documents downloading feature.
Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...
Moneybird: Open Redirect through POST Request in OAuth
Reporter found an open redirect issue in the OAuth flow. We added extra checks for all redirects in the OAuth flows to mitigate this issue...
Moneybird: Stored XSS on add project
The researcher found a way to store a snippet that was served to him and or other users of his administration. Subsequently the snippet was executed by his browser, making it a viable XSS vulnerability...
Moneybird: Pending MFA logins aren't immediatly expired after a password change
Researcher found an issue with sessions not all being terminated when password is changed. The 2FA implementation was at fault in this scenario as the session was found to be active even after the password was changed and two-step verification was turned off...
Moneybird: IDOR in https://moneybird.com/user/accountant_company/edit(change company name)
Reporter found a way to change the name of an accountant company for which he didn't have permissions. We added extra checks to prevent these kind of Insecure Direct Object Reference bugs...