Tag
Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in Ali Khallad's Contact Form By Mega Forms plugin <= 1.2.4 at WordPress.
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress.
Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress.
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.
Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?
The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. It seems like there’s at least one major password breach every month — if not more. Most recently, there was an incident at Plex where all users had to reset their passwords. Many users pay for a password management service — which is something I’ve talked about a ton for Talos. But even those aren’t a one-size-fits-all solution. LastPass, one of the most popular password management services, recently suffered a breach of their own internal development environment, though as of right now, it doesn’t appear like any users’ primary passwords were compromised. This got me curious about how people prefer to manage their passwords, so I threw up a poll on our Twitter asking our readers how they managed their passwords. Paid password management services like LastPass and 1Password were the most popular response, followed by web browser-based managers like the ones Chrome and Safari offer. Several o...
The initial access broker (IAB) for ransomware gangs known as UAC-0098 has targeted Ukrainian organizations in five separate phishing campaigns spanning April to August.
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.
Investment to fuel growth and market presence as demand grows for SaaS' next-generation security tools for managed service providers.