Cross-Site Request Forgery (CSRF) vulnerability in Kevin Weber Lazy Load for Videos plugin <= 2.18.2 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Lazy Load for Videos Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45656: WordPress Lazy Load for Videos plugin <= 2.18.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, 

some sensitive params  checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile"....

.  

Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/8604 



**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-43668

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. 


%PDF-1.7 %���� 1 0 obj <> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 49 0 R 53 0 R 54 0 R 57 0 R 72 0 R 75 0 R 76 0 R 77 0 R 78 0 R 79 0 R\] /MediaBox\[ 0 0 595.32 841.92\] /Contents 6 0 R/Group<>/Tabs/S>> endobj 4 0 obj <> stream ����JFIF����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222����"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?��(�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� )��Ā����S�&��QE0 (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (����݋Kb��xQ�VY�)bpɮ\[P�7w%��^W��c~�GO��ta��I�&�|��D�Ĥ��ϯ�t����G��b�����W����7������PӞ&�Q\_Ny�EPEPEPEPEPEPEP\\��:�4�nn�k���� �0V\`>�g��WO}{o��O{w\*�o$�� ��|e���x��W����~��#�,���<��h��ᥬ��\[������������5�?L\_�^\\�n$7���s�{��5�����9�aKo��� x����t-b�K����\\��cu7#���z��5�� ��(�\[a����(��\_��}����ᥬ��\[������֟��h-+Y׬��&\[�\\G���2�=21�8�|�J "�>�����ߎ?�.����T���|��q����������MF��o��mk��s������������|��&�>>���GS\_ �K�\[6�x�xy{/���j�\*�#�Z������ �Mz'��I��>�P\]"\[X���� �|q�q��ɞ��犼Eg�د�n��5�&>�f����k?h��M�{-�����'ܞh�|U�����'��\_C�v��!�g �zc���� -e�B�����+���%S���?��.�>��s�"�Q�-�%�،\`�>�۽�5�W�������O�������Z�Kq<�8bB�;tU$�Y����y(�nwv�Q�My������4� ����q���f�b�3^#�3�u���9-�� '���������h�9�ih�~��NW?�v�Z��\]��X���W��@�� .��,���+�<9��o�oN���'��7��v܌�=��Z�\_����o�ׄ\_� I�x�=\*I#�#o%�'�ge�6o��\*�3�A�$dR�)�S�8dH��XC4��~�r���i9���K%��:���Rk^�2��

CVE-2023-21415

%PDF-1.7 %���� 1 0 obj <> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 37 0 R 41 0 R 42 0 R 45 0 R 65 0 R 68 0 R 69 0 R 70 0 R 71 0 R 72 0 R\] /MediaBox\[ 0 0 595.32 841.92\] /Contents 6 0 R/Group<>/Tabs/S>> endobj 4 0 obj <> stream ����JFIF����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222����"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?��(�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� )��Ā����S�&��QE0 (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (����݋Kb��xQ�VY�)bpɮ\[P�7w%��^W��c~�GO��ta��I�&�|��D�Ĥ��ϯ�t����G��b�����W����7������PӞ&�Q\_Ny�EPEPEPEPEPEPEP\\��:�4�nn�k���� �0V\`>�g��WO}{o��O{w\*�o$�� ��|e���x��W����~��#�,���<��h��ᥬ��\[������������5�?L\_�^\\�n$7���s�{��5�����9�aKo��� x����t-b�K����\\��cu7#���z��5�� ��(�\[a����(��\_��}����ᥬ��\[������֟��h-+Y׬��&\[�\\G���2�=21�8�|�J "�>�����ߎ?�.����T���|��q����������MF��o��mk��s������������|��&�>>���GS\_ �K�\[6�x�xy{/���j�\*�#�Z������ �Mz'��I��>�P\]"\[X���� �|q�q��ɞ��犼Eg�د�n��5�&>�f����k?h��M�{-�����'ܞh�|U�����'��\_C�v��!�g �zc���� -e�B�����+���%S���?��.�>��s�"�Q�-�%�،\`�>�۽�5�W�������O�������Z�Kq<�8bB�;tU$�Y����y(�nwv�Q�My������4� ����q���f�b�3^#�3�u���9-�� '���������h�9�ih�~��NW?�v�Z��\]��X���W��@�� .��,���+�<9��o�oN���'��7��v܌�=��Z�\_����o�ׄ\_� I�x�=\*I#�#o%�'�ge�6o��\*�3�A�$dR�)�S�8dH��XC4��~�r���i9���K%��:���Rk^�2��

SaaS security is broad, possibly confusing, but undeniably crucial. Make sure you have the basics in place: discovery, risk assessment, and user access management.

In today's fast-paced business world, software-as-a-service (SaaS) applications have transformed how we work. They offer unprecedented flexibility, collaboration, and efficiency, making them the go-to solution for most organizations. From project management to customer relationship management and file storage, SaaS applications touch nearly every aspect of daily business operations. With sensitive data and critical business processes housed in these platforms, the need for robust SaaS security has never been more pressing and clear.

SaaS security is multifaceted, covering many types of risks with tools offered by diverse vendors. SaaS security typically falls within SaaS security posture management (SSPM). While modern SSPM solutions provide automation and in-product remediation, they might be somewhat overwhelming at first, especially for smaller organizations that don't have large budgets or don't know where to start or what to prioritize.

During a career spanning two decades in the Israeli military serving various cyber-related roles, I learned the importance of breaking down large challenges into smaller pieces. Tackling a large problem starts with identifying the basic requirements. In this article, I will lay out three must-have SaaS security essentials that any organization can implement, regardless of budget or headcount. These are three steps you can introduce into your organization today.

**Step 1: Discover Your SaaS Usage**

After serving hundreds of SaaS-using companies, it is clear to me that most organizations have a serious SaaS shadow-IT problem. In fact, the average employee uses 28 SaaS applications at any given time. When you think about it, it makes sense: Most employees, when encountering a specific business need, will look up a fast and easy solution online. That solution is often a SaaS tool that requires permissions into the employee's work environment. Onboarding these SaaS applications often goes completely unnoticed by security and IT teams. So, before you can secure your SaaS environment, you must first have full visibility into every employee's SaaS usage, all the time.

**Step 2: Perform Risk Assessments on Each SaaS Application**

Now that you have a clear picture of your SaaS landscape, it's time to evaluate the security risks associated with each application. Not all SaaS applications are created equal, and some may pose a higher risk to your organization's data and operations. We should always be cautious as to where we keep or share sensitive data and who we trust with our most critical assets. There are several critical considerations for determining whether an application is risky or not. Here are a few:

*   The SaaS vendor's security and privacy compliances.
*   The SaaS vendor's size and location.
*   The SaaS app's marketplace presence: Has it been validated by others?
*   Is it a private or public company? Does it share its security status publicly?

This type of analysis is crucial not only for maintaining SaaS security; it is a significant factor in companies' vendor risk-assessment processes. SaaS is a third-party vendor, and assessment is part of how you manage a vendor's risk. Organizations cannot afford to turn a blind eye to their third-party risks of any size.

**Step 3: Ensure Users Have Only Necessary Permissions and Roles**

The third essential step is managing user permissions. Often, security breaches occur due to excessive permissions granted to users or that the users grant to certain applications. To mitigate this risk, follow these best practices:

*   **Least-privilege principle:** This means granting users only the permissions they absolutely need to perform their tasks. Avoid granting broad, blanket permissions that can lead to data exposure or unauthorized actions.
*   **Regular permission reviews:** Establish a process for regularly reviewing and updating user permissions and roles. This is especially true for your core business applications. Employees' roles and responsibilities can change over time, and permissions should be adjusted accordingly.
*   **Start with the admins:** Assessing all your employees and their roles and permissions across dozens of apps can be daunting and time consuming. I've learned that focusing on various admin roles and auto-approving low-permissions roles is a huge time saver.

**Why These Three?**

There are many ways to implement SaaS security practices. Some organizations prefer looking at sensitive files shared between these applications; others start with irregular user behaviors to tackle insider risks. These are all valid, and robust SSPM tools offer these capabilities. But for smaller organizations with tighter budgets or those that prefer to start small then expand, I firmly believe these three principles are the way to go. These are required by major compliance standards such as ISO 27001 and SOC 2 and fall under basic vendor risk-assessment and user-management requirements.

**Embrace SaaS Without Compromising Security**

By enforcing these three steps, you can make significant strides in protecting your digital workspace. Remember that security is an ongoing process, and continuous monitoring and adaptation are key to staying ahead of evolving threats in the SaaS landscape. By prioritizing security, you can ensure employees are free to fully embrace the advantages of SaaS while always keeping your organization safe from SaaS potential harm.

**About the Author**

    

A retired colonel from the elite 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing, and deploying some of the Israeli Defense Forces' most vital defensive and offensive cyber platforms as well as leading large and strategic operations. She was an integral part of developing the IDF's first cyber capabilities and continued improving and enhancing these capabilities throughout her career. She is the recipient of numerous accolades, including the prestigious Israeli Defense Award.

3 Essential Steps to Strengthen SaaS Security

The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Why Zero Trust Is the Cloud Security Imperative

TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-36950: bug_submit/TOTOLINK/loginauth.md at main · Archerber/bug_submit

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.

CVE-2023-36340: bug_submit/TOTOLINK/TOTOLINK-NR1800X.md at main · Archerber/bug_submit

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.  IBM X-Force ID:  256016.

CVE-2023-33836

Categories: News
Categories: Personal
Tags: Shadow PC

Tags:  data breach

Tags:  

Cloud service provider Shadow has notified customers about a data breach affecting over 500,000 users.



(Read more...)




The post Customer data stolen from gaming cloud host Shadow appeared first on Malwarebytes Labs.

Cloud infrastructure provider Shadow has warned of the data theft of over 500,000 customers. The customers were informed by a breach notification which was posted online.

Cloud is known in the gaming world and, among other things, allows gamers to play resource heavy games on lower-end devices,

The stolen data includes full customer names, email addresses, dates of birth, billing addresses, and credit card expiration dates. According to Shadow, no passwords or sensitive banking data have been compromised.

Shadow says the incident happened at the end of September, and was the result of a social engineering attack on a Shadow employee. The attack began on the Discord platform after the employee downloaded malware he believed to be a game on the Steam platform.

Shadow says that despite swift countermeasures, the attackers were able to use one or more of the cookies they had stolen in order to connect to the management interface of one of Shadow’s SaaS providers. From there the attackers were able to steal the data from Shadow by using their Application Programming Interface (API) access.

According to BleepingComputer, a cybercriminal claiming responsibility for the attack is selling the stolen database on a well-known hacking forum.

_image courtesy of BleepingComputer_

In the message, the cybercriminal says IP connection logs were also stolen in the breach in addition to the other data mentioned by Shadow.

It is unclear, although likely, whether Shadow has reached out to everyone involved. Shadow recommends that users set up multi-factor authentication (MFA) on their accounts, and watch out for any emails that appear to come from Shadow, as they could be phishing attempts.

The company is also telling users to contact customer service with any questions or concerns.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable multi-factor authentication (MFA). This is good advice from Shadow, and something we always advise. If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of multi-factor authentication can be phished just as easily as a password. MFA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. As Shadow warns, phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#auth