#ios

A buffer overflow in the WMI SMI Handler in some Lenovo models may allow an attacker with local access and elevated privileges to execute arbitrary code.

The PrivateContent plugin for WordPress is vulnerable to protection mechanism bypass due to the use of client side validation in versions up to, and including, 8.4.3. This is due to the plugin checking if an IP had been blocklist via client-side scripts rather than server-side. This makes it possible for unauthenticated attackers to bypass any login restrictions that may prevent a brute force attack.

CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user.

Categories: News Tags: T-Mobile Tags: ransomware Tags: Microsoft Tags: TikTok Tags: privacy Tags: Data Privacy Day 2023 Tags: Data Privacy Week 2023 Tags: Malwarebytes 2023 State of Mobile Cybersecurity Tags: Riot Games Tags: VASTFLUX Tags: Grand Theft Auto 5 Tags: iPhone Tags: vRealize Tags: video game fish Tags: credit cart theft Tags: DuoLingo Tags: K-12 Tags: Vice Society Tags: Hive ransomware The most interesting security related news from the week of January 23-19. (Read more...) The post A week in security (January 23—29) appeared first on Malwarebytes Labs.

The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys.

Wire web-app is part of Wire communications. Versions prior to 2022-11-02 are subject to Improper Handling of Exceptional Conditions. In the wire-webapp, certain combinations of Markdown formatting can trigger an unhandled error in the conversion to HTML representation. The error makes it impossible to display the affected chat history, other conversations are not affected. The issue has been fixed in version 2022-11-02 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-11-02-production.0-v0.31.9-0-337e400 or wire-server 2022-11-03 (chart/4.26.0), so that their applications are no longer affected. As a workaround, you may use an iOS or Android client and delete the corresponding message from the history OR write 30 or more messages into the affected conversation to prevent the client from further rendering of the corresponding message. When attempting to retrieve messages from the conversation history, the err...

Improper input validation in driver adgnetworkwfpdrv.sys in Adguard For Windows x86 up to version 7.11 allows attacker to gain local privileges escalation.

Incorrect access control in Aternity agent in Riverbed Aternity before 12.1.4.27 allows for local privilege escalation. There is an insufficiently protected handle to the A180AG.exe SYSTEM process with PROCESS_ALL_ACCESS rights.

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

An issue was discovered in Rehau devices that use a pCOWeb card BIOS v6.27, BOOT v5.00, web version v2.2, allows attackers to gain full unauthenticated access to the configuration and service interface.