CVE-2022-1386

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the...

[SECURITY] Fedora 36 Update: golang-github-francoispqt-gojay-1.2.13-6.fc36

GoJay is a performant JSON encoder/decoder for Golang currently the most performant, see benchmarks. It has a simple API and doesn't use reflection. It relies on small interfaces to decode/encode structures and slices. Gojay also comes with powerful stream decoding features and an even faster...

Using Pupil Reflection in Smartphone Camera Selfies

Researchers are using the reflection of the smartphone in the pupils of faces taken as selfies to infer information about how the phone is being used: For now, the research is focusing on six different ways a user can hold a device like a smartphone: with both hands, just the left, or just the...

CVE-2022-1282

The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $GET'imageurl' variable, which is reflected back to the users when executing the editimagebwg AJAX action...

[SECURITY] Fedora 34 Update: golang-github-francoispqt-gojay-1.2.13-6.fc34

GoJay is a performant JSON encoder/decoder for Golang currently the most performant, see benchmarks. It has a simple API and doesn't use reflection. It relies on small interfaces to decode/encode structures and slices. Gojay also comes with powerful stream decoding features and an even faster...

[SECURITY] Fedora 35 Update: golang-github-francoispqt-gojay-1.2.13-6.fc35

GoJay is a performant JSON encoder/decoder for Golang currently the most performant, see benchmarks. It has a simple API and doesn't use reflection. It relies on small interfaces to decode/encode structures and slices. Gojay also comes with powerful stream decoding features and an even faster...

nopCommerce 跨站脚本漏洞

nopCommerce is an open source general-purpose e-commerce platform. nopCommerce version 4.50.1 contains a cross-site scripting vulnerability that stems from the fact that a customer's name is reflected in the response without HTML encoding, which can be exploited by an attacker to inject javascrip...

Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 through 5.2 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing (in the Passkey authentication procedure) by reflection of the public key and the authentication evidence of the initiating device potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. The attack methodology determines the Passkey value one bit at a time.

...

WordPress Cookie Information | Free GDPR Consent Solution plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress Cookie Information | Free GDPR Consent Solution plugin prior to version 2.0.8 is vulnerable to A cross-site scripting vulnerability...

WordPress ARI Fancy Lightbox plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. cross-site scripting vulnerability exists in versions of the WordPress ARI Fancy Lightbox plugin prior to 1.3.9, which stems from a...

Hackers Abuse Mitel Devices to Amplify DDoS Attacks by 4 Billion Times

Threat actors have been observed abusing a high-impact reflection/amplification method to stage sustained distributed denial-of-service DDoS attacks for up to 14 hours with a record-breaking amplification ratio of 4,294,967,296 to 1. The attack vector – dubbed TP240PhoneHome CVE-2022-26143 – has...

WordPress Advanced iFrame plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress Advanced iFrame plugin versions prior to 2022 contain a cross-site scripting vulnerability that stems from the plugin's failure to...

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

A new reflection/amplification distributed denial of service DDoS vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks...

Hackers Begin Weaponizing TCP Middlebox Reflection for Amplified DDoS Attacks

Distributed denial-of-service DDoS attacks leveraging a new amplification technique called TCP Middlebox Reflection have been detected for the first time in the wild, six months after the novel attack mechanism was presented in theory. "The attack … abuses vulnerable firewalls and content filteri...

WordPress WP Accessibility Helper plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blogging sites on servers with PHP and MySQL.A cross-site scripting vulnerability exists in versions of the WordPress WP Accessibility Helper plugin prio...

TCP Middlebox Reflection: Coming to a DDoS Near You

Over the past week, Akamai Security Researchers have detected and analyzed a series of TCP reflection attacks, peaking at 11 Gbps at 1.5 Mpps, that were leveled against Akamai customers. The attack, amplified with a technique called TCP Middlebox Reflection, abuses vulnerable firewalls and conten...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions prior to WordPress WP User plugin 7.0. The vulnerability stems...

WordPress Plugin Download Manager SQL Injection Vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A SQL injection vulnerability exists in the WordPress plugin Download Manager prior to version 3.2.34. The...

WordPress NewStatPress plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions of WordPress NewStatPress plugin prior to 1.3.6. The vulnerabili...

Mageia: Security Advisory (MGASA-2020-0259)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...