Sylius 信息泄露漏洞

Sylius is a set of open source e-commerce platform based on the Symfony framework from the Polish company Sylius. sylius paypal-plugin is vulnerable to an information disclosure vulnerability, which could lead to the exposure of personally identifiable information. No details of the vulnerability...

Vaccine passport app leaks users’ personal data

Security and privacy advocates may have cause to worry after all: Portpass, a vaccine passport app in Canada, has been found to have been exposing the personal data of its users for an unknown length of time. On Monday, Canadian Broadcasting Corporation CBC received a tip that "the user profiles ...

New Android Malware Targeting US, Canadian Users with COVID-19 Lures

An "insidious" new SMS smishing malware has been found targeting Android mobile users in the U.S. and Canada as part of an ongoing campaign that uses SMS text message lures related to COVID-19 regulations and vaccine information in an attempt to steal personal and financial data. Proofpoint's...

CVE-2021-34647

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulkexportsubmissions function found in the /includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...

WordPress 插件 安全漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress plugin Ninja Forms 3.5.7 and earlier versions, where an authenticated attacker can export all Ninja Forms submissions, which may contain personally identifiable information, via t...

WordPress 插件 安全漏洞

WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress plugin Ninja Forms 3.5.7 and earlier versions, where an authenticated attacker could export all Ninja Forms submissions, which may contain personally identifiable information, via...

When data privacy and protection are rights, don’t get it wrong

Twenty-one years ago, Latanya Sweeney showed that it’s possible to uniquely identify 87% of Americans with just three pieces of personal data: gender, ZIP code and full date of birth. Long before anyone had heard the words ‘data lake’, ‘cloud storage’ or ‘big data’, nevermind ‘social media’, it w...

WhatsApp hit with €225 million fine for GDPR violations

WhatsApp was hit with a €225 million fine for violating the General Data Protection Regulation GDPR, the European Union’s sweeping data protection law that has been in effect for more than three years. The fine represents the highest ever penalty levied by the Irish Data Protection Commission,...

LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files

After Bangkok Airways disclosed that it had been clobbered by a cyberattack last week, the LockBit 2.0 ransomware gang tossed its own countdown clock in the trash and went ahead and published what it claims are the airline’s encrypted files on its leak site. BleepingComputer posted an image shown...

LockBit Gang to Publish 103GB of Bangkok Airways Customer Data

The LockBit ransomware gang has apparently struck again, having purportedly stolen 103GB worth of files from Bangkok Airways and promising to release them tomorrow, on Tuesday. A Dark Web intelligence firm calling itself DarkTracer apparently a separate intel firm than the better-known DarkTrace...

Black Hat 2021: Rapid7 Experts Share Key Day 2 Takeaways

Here we are again, back for another day of Rapid7 expert debriefings and analysis for some of the most talked-about Black Hat sessions of this year. So without further delay, let’s take it away! Get more DEF CON 2021 insights from our Research team on Tuesday, August 10 Sign up for our What...

Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

✍️ Description Attacker able to create any Personal Data if users visit attacker site. 🕵️‍♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data with Denomination aaa have been created. // PoC.html history.pushState'', '', '/' input type="hidden" name="e...

Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

✍️ Description Attacker able to delete any Personal Data if users visit attacker site. 🕵️‍♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data with idrecord value equal to 2 have been deleted. // PoC.html history.pushState'', '', '/'...

Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

✍️ Description Attacker able to disable any Personal Data module if users visit attacker site. 🕵️‍♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data module with id value equal to 1 have been disabled. // PoC.html history.pushState'', '', '/'...

Guess Fashion Deals With Data Loss, Post-Ransomware

A February ransomware attack on fashion label Guess linked to Colonial Pipeline attackers DarkSide is still causing damage. Guess has started sending letters to 1,300 employees and contractors who had their personal and banking data exposed during the breach. The letter, published by...

How can you protect your personal, sensitive data online?

By Owais Sultan If you are reading this, thinking about your personal data or even secrets, you may have bigger problems than you can solve. This is a post from HackRead.com Read the original post: How can you protect your personal, sensitive data online?...

Stripe: Email change or personal data change on the account.

@dk82hg found the email change flow on indiehackers.com was vulnerable to an insecure direct object reference IDOR which allowed an attacker to change the email associated with a user account to one they owned and ultimately take over a victim’s account in certain situations. A fix was shipped to...

Acronis: CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud

Summary Hi team, I hope everything goes well. I have found a CSS Injection in Acronis Cloud Management Consolehttps://mc-beta-cloud.acronis.com/mc via the colorscheme GET parameter. Description: The flow work as I will comment below. If we go to the URL...

Oh FCUK! Fashion Label, Medical Diagnostics Firm Latest REvil Victims

U.K.-based fashion brand French Connection, which advertises under the acronym “FCUK,” confirmed that it has been compromised by ransomware group REvil. Just hours later, Brazilian medical diagnostics firm Grupo Fleury announced it had the same misfortune. The twin attacks reveal shifting...

IKEA Fined $1.2M for Elaborate ‘Spying System’

IKEA’s French subsidiary was just hit with a $1.2 million fine after it was found guilty of a creepy systematic snooping scheme targeting customers, employees and even prospective hires. Prosecutors said in all, the company illegally surveilled about 400 people in total, according to the BBC. IKE...