CVE-2023-34364

Progress DataDirect Connect for ODBC (Oracle) prior to 08.02.2770 contains a buffer overflow caused by overly large option values in a connection string, overrunning the processing buffer and enabling remote code execution. The root cause is improper bounds checking on certain connection-string o...

Progress MOVEit Transfer < 2020.1.9 / 2021.0.x < 2021.0.7 / 2021.1.x < 2021.1.5 / 2022.0.x < 2022.0.5 / 2022.1.x < 2022.1.6 / 2023.0.x < 2023.0.2 Critical Vulnerability (June 2023)

The version of Progress MOVEit Transfer, formerly Ipswitch MOVEit DMZ, installed on the remote host is prior to 2020.1.9, 2021.0.7, 2021.1.5, 2022.0.5, 2022.1.6, or 2023.0.2. It is, therefore, affected by a SQL injection vulnerability as referenced in Progress Community article 000234899. -...

Clop Ransomware Gang Likely Aware of MOVEit Transfer Vulnerability Since 2021

The U.S. Cybersecurity and Infrastructure Security Agency CISA and Federal Bureau of Investigation FBI have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomwar...

PT-2023-24839 · Progress · Progress Datadirect Connect For Odbc

Name of the Vulnerable Software and Affected Versions: Progress DataDirect Connect for ODBC versions prior to 08.02.2770 for Oracle Description: An issue was discovered when using Oracle Advanced Security OAS encryption. If an error occurs while initializing the encryption object, the code falls...

CVE-2023-34362 – MOVEit Transfer – An attack chain that retrieves sensitive information

MOVEit Transfer is a popular secure file transfer solution developed by Progress, a subsidiary of Ipswitch. At the moment, there are more than 2,500 MOVEit Transfer servers that are accessible from the internet, according to Shodan. On May 31, 2023, Progress released a security advisory affecting...

WordPress Circle Progress 1.0 Cross Site Scripting

Exploit Title: WordPress Plugin Circle progress bar – Cross site scripting-Stored Date: 2-06-2023 Exploit Author: Taliya Bilal- NightHawk Vendor Homepage: https://wordpress.org/plugins/circle-progress-bar/ Version: 1.0 Tested on: Firefox Contact me: [email protected] Steps to reproduce: 1...

Progress MOVEit Transfer SQL Injection Vulnerability

Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to infer informati...

Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability

Note: As of June 2, 2023, CVE-2023-34362 has been assigned to this vulnerability. On Friday, June 9, Progress Software released patches for a second vulnerability, CVE-2023-35036. On Thursday, June 15, a third vulnerability was announced and later assigned CVE-2023-35708. Progress has updates her...

Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin

Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group. According to Menlo Security, which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names J...

Progress MOVEit Transfer < 2020.0 / 2020.1 / 2021.0 < 2021.0.6 / 2021.1.0 < 2021.1.4 / 2022.0.0 < 2022.0.4 / 2022.1.0 < 2022.1.5 / 2023.0.0 < 2023.0.1 Critical Vulnerability (May 2023)

The version of Progress MOVEit Transfer, formerly Ipswitch MOVEit DMZ, installed on the remote host is prior to 2020.0 / 2020.1 / 2021.0 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, or 2023.0.1. It is, therefore, affected by a SQL injection vulnerability as referenced in Progress Community article...

CVE-2023-23699

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Chris Reynolds Progress Bar plugin = 2.2.1 versions...

CVE-2023-23699 WordPress Progress Bar Plugin <= 2.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Chris Reynolds Progress Bar plugin = 2.2.1 versions...

CVE-2023-23699 WordPress Progress Bar Plugin <= 2.2.1 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Chris Reynolds Progress Bar plugin = 2.2.1 versions...

CVE-2023-23699

CVE-2023-23699 affects the Chris Reynolds Progress Bar plugin for WordPress, specifically versions

WordPress plugin Progress Bar 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

Craft CMS stored XSS in review volume

Summary XSS can be triggered by review volumes PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "alert1337 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 6. Click Update asset indexes. 7. Wait to assets update success. 8. Progress complete. 9...

progress-security.com Cross Site Scripting vulnerability OBB-3358321

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

kernel: blk-mq: avoid double ->queue_rq() because of early timeout

In the Linux kernel, the following vulnerability has been resolved: blk-mq: avoid double -queuerq because of early timeout David Jeffery found one double -queuerq issue, so far it can be triggered in VM use case because of long vmexit latency or preempt latency of vCPU pthread or long page fault ...

CVE-2023-30394

The CVE-2023-30394 entry concerns MoveIt framework 1.1.11 for ROS, where an XSS vulnerability exists in the API authentication function. The issue is widely referenced across multiple feeds, and one source (PT-2023-22669) provides a practical workaround: disable the API authentication function an...

CVE-2023-31806

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function...