Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.

CVE-2022-43492: Comments – wpDiscuz

Auth. (admin+) Arbitrary File Read vulnerability in S2W – Import Shopify to WooCommerce plugin <= 1.1.12 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

S2W – Import Shopify to WooCommerce helps you migrate data from Shopify to WooCommerce easily. With only 2 steps your Shopify products(including images) and categories will be migrated. The plugin uses Shopify API key to transfer data from Shopify to WooCommerce store directly, your data is kept private. With the premium version, you can also migrate store settings, shipping zones, taxes, pages, blogs, coupons, customers and orders.

Documents| Premium version | Facebook group

Learn how to get shopify API key and password to use with S2W – Import Shopify to WooCommerce  

Preview S2W – Import Shopify to WooCommerce  

**IMPORTANT NOTICE:**

*   The plugin works based on WooCommerce plugin.
    
*   It is released on WordPress.org and you can use the plugin as free to build themes for sale.
    

**FEATURES:**

*   **Products per ajax request**: Change this option to avoid bad request error, default is 5
    
*   **Import Products sequence**: Change the order to import products by Title, Created date or Updated date
    
*   **Import products**: Import unlimited products from your Shopify store to WooCommerce
    
*   **Product variations**: All product variations will be imported with your current stock, price… in your Shopify store
    
*   **Status of products**: Can set status of imported products to publish, pending or draft
    
*   **Product categories**: Product categories will be remained, can choose to add all products to specific categories
    
*   **Migrate images**: Product images, gallery and variations images will be queued to import to avoid overload of your server
    
*   **Logs**: You can review the migration process in log files
    

**PRO VERSION:**

► **All features from free version.**

► **WEBHOOKS**: You can use webhooks to automatically import/update new data for Products/Orders/Customers.

► **IMPORT PRODUCTS from CSV**: In case you don’t use API, this is what you need to migrate your products

► **IMPORT PRODUCT BY ID**: You can choose specific products to import by entering product ids

► **IMPORT PRODUCT OPTIONS**: Besides some options like the free version, you can do more with the pro version:

*   **Metafields**: You can import metafields of products such as SEO title, SEO description…
    
*   **Migrate description images**: Images in the product description can be easily migrated to the WordPress site and images sources(URLs) will be replaced correctly after that
    
*   **Products filters**: If you don’t want to import all products, there are some filters available such as product type, collection ID, published before date, published after date. And you can also select the sequence products are imported
    

► **CRON UPDATE PRODUCT**: Schedule to update product price or quantity automatically

► **UPDATE PRODUCT OPTIONS**: Able to update product images, title, inventory, description, price, SKU, attributes, slug after products are imported to WooCommerce store

► **ORDERS**: Payment method, shipping method, first name, last name, company, country, address, zip, city, province, phone, total, subtotal, tax, discount, shipping cost, currency, date create, browser IP, customer user agent, line items, discount code, order number, order fulfillment.

► **IMPORT ORDER OPTIONS**: Orders per ajax request, Import orders created/imported at or before/after date, Import Orders sequence

► **UPDATE ORDER OPTIONS**: Able to update order status, order date, order fulfillments

► **CRON UPDATE ORDER**: Schedule to update orders automatically

► **STORE SETTINGS**: Site title, admin email, store address, city, country, state, postcode, timezone, weight unit, currency code, currency format.

► **SHIPPING ZONES**: shipping zones and shipping methods.

► **TAXES**: Tax name, tax rate, country, province, zip, shipping.

► **PAGES**: Title, content.

► **BLOGS**: Blog title, blog content, categories, tags, featured image.

► **COUPONS**: Coupon types that WooCommerce support, coupon amount, usage limit, expiry date, minimum amount.

► **CUSTOMERS**: Import customers per ajax request, first name, last name, phone, company, address, city, province, zip, country.

► **PREMIUM SUPPORT**

Go Pro

**Plugin Links**

*   Project Page
*   Documentation
*   Report Bugs/Issues

**MAY BE YOU NEED**

FEWC – WooCommerce Extra Checkout Fields: Manage checkout fields using WordPress Customizer

EPOW – Custom Product Options for WooCommerce: Add extra options for products using frontend form builder

ChinaDS – Taobao Dropshipping for WooCommerce: Another Taobao dropshipping solution for WooCommerce stores

9MAIL – WordPress Email Templates Designer: Replace plaintext WordPress emails with more beautiful and professional templates

EPOI – WP Points and Rewards: Points and Rewards system for a WordPress website

WebPOS – Point of Sale for WooCommerce: Point of Sale solution for WooCommerce stores

Jagif – WooCommerce Free Gift: Giving gifts to your customers can never be more easier

COREEM – Coupon Reminder for WooCommerce: Send emails to customers to remind them of their coupons, especially ones which are about to expire

COMPE – WooCommerce Compare Products: Help your customers compare two or more products to find out the right one they need

W2S – Migrate WooCommerce to Shopify: Migrate WooCommerce products to Shopify easily via the official Shopify REST Admin API

REDIS – WooCommerce Dynamic Pricing and Discounts: Create flexible pricing rules for products

EXMAGE – WordPress Image Links: Save storage by using external image URLs

Pofily – WooCommerce Product Filters: Advanced filters for WooCommerce

Bopo – Woo Product Bundle Builder: Let the plugin provide your customers with a very flexible and convenient way to purchase bundles

WPBulky – WordPress Bulk Edit Post Types: Save time editing posts/pages/attachment… and other custom post types except for ones created by WooCommerce(product, shop\_order and shop\_coupon)

Bulky – Bulk Edit Products for WooCommerce: Quickly and easily edit your products in bulk. This plugin will save you tons of time editing products.

Product Size Chart For WooCommerce: A simple but flexible solution to create size chart for your products

Checkout Upsell Funnel for WooCommerce: Offer product suggestions and smart order bumps on checkout page

Cart All In One For WooCommerce: All cart features you need in one simple plugin

Email Template Customizer for WooCommerce: Customize WooCommerce emails to make them more beautiful and professional after only several mouse clicks

Product Variations Swatches for WooCommerce: Professional and beautiful colors, buttons, images, variation images and radio variations swatches

Dropshipping and Fulfillment for AliExpress and WooCommerce: Free dropshipping solution – Transfer data from AliExpress products to WooCommerce effortlessly and fulfill AliExpress orders automatically

Abandoned Cart Recovery For WooCommerce: Capture abandoned carts & send reminder emails to customers.

Orders Tracking for WooCommerce: Import orders tracking number and send tracking info to customers

Customer Coupons for WooCommerce: Display coupons on your website

Virtual Reviews for WooCommerce: Virtual Reviews for WooCommerce helps generate virtual reviews, display canned reviews for newly created store

Thank You Page Customizer for WooCommerce: Customize your “Thank You” page and give coupons to customers after a successful order

Sales Countdown Timer: Create a sense of urgency with a countdown to the beginning or end of sales, store launch or other events

EU Cookies Bar: A very simple plugin which helps your website comply with Cookie Law

Lucky Wheel for WooCommerce: Offer customers to spin for coupons by entering their emails.

WordPress Lucky Wheel: WordPress Lucky Wheel gives you the best solution to get emails address from visitors of your WordPress website

Advanced Product Information for WooCommerce: Display more intuitive information of products such as sale countdown, sale badges, who recently bought products, rank of products in their categories, available payment methods…

LookBook for WooCommerce: Create beautiful Lookbooks, Shoppable with Product Tags

Photo Reviews for WooCommerce: Allow posting reviews include product pictures, review reminder, review for coupons.

Product Builder for WooCommerce: Allows your customers to build a full product set from small parts step by step. The plugin works base on WooCommerce with many useful features like compatible, email completed product, attributes filters.

Boost Sales for WooCommerce: Increase profit on every single order with Up-selling and Cross-selling

Free Shipping Bar for WooCommerce: Use free shipping as a marketing tool, encourage customers to pay more for free shipping.

Notification for WooCommerce: Social Proof Marketing plugin. Live recent order on the front-end of your site.

Multi Currency for WooCommerce: Switches to different currencies easily and accepts payment with only one currency or all currencies.

Coupon Box for WooCommerce: Subscribe emails for discount coupons

**Plugin Links**

*   Report Bugs/Issues

1.  Unzip the download package
2.  Upload s2w-import-shopify-to-woo to the /wp-content/plugins/ directory
3.  Activate the plugin through the ‘Plugins’ menu in WordPress

Unable to sync product images!

I was skeptical at first about this plugin, as with any "migrate your store" plugin. However, all I did was put in the Shopify API information and the plugin crunched the numbers and pulled everything over. These are some complex products as well, with several images, many attributes, and variation types, and it handled them all with minimal errors. The only thing is that images are a little slow to move over, and every once in a while I have to go back and click "Download All" again. But, other than that small issue, this plugin is perfect!

Thank you your app helps lot

This plugin does exactly what I was looking for

Hello, I would like to ask, the product was successfully imported from shopify, but why the downloading of pictures is very slow?

Read all 28 reviews

“S2W – Import Shopify to WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

/**1.1.13 – 2022.11.05**/  
– Fixed: Security dispatch

/**1.1.12 – 2022.11.02**/  
– Updated: Compatibility check with WP 6.1 and WC 7

/**1.1.11 – 2022.08.04**/  
– Updated: Support importing HEIC image type

/**1.1.10 – 2022.07.22**/  
– Updated: VillaTheme\_Support  
– Updated: Data sanitization/escaping check  
– Updated: Shopify API version 2022-04  
– Updated: Support importing WEBP image type

/**1.1.9 – 2022.05.30**/  
– Updated: VillaTheme\_Support  
– Updated: Compatible with WP6.0

/**1.1.8 – 2022.04.20**/  
– Updated: VillaTheme\_Support

/**1.1.7 – 2022.03.29**/  
– Updated: VillaTheme\_Support

/**1.1.6 – 2022.03.21**/  
– Updated: VillaTheme\_Support

/**1.1.5 – 2022.02.12**/  
– Updated: Support Shopify custom apps as Private apps are deprecated and can’t be created as of January 2022

/**1.1.4 – 2022.01.11**/  
– Updated: VillaTheme\_Support  
– Updated: Support latest Shopify API version 2022-01  
– Added: Option to disable background processing

/**1.1.3.7 – 2021.07.31**/  
– Updated: Compatible with WP5.8 and WC5.5  
– Updated: Class support

/**1.1.3.6 – 2021.06.16**/  
– Fixed: Variation attributes are not set correctly if attributes name and terms contain non-latin characters

/**1.1.3.5 – 2021.05.04**/  
– Fixed: Can not set product type as variable in some cases

/**1.1.3.4 – 2021.03.06**/  
– Updated: Support latest Shopify API version 2021-01  
– Updated: Compatible with WP5.7 and WC5.0

/**1.1.3.3 – 2020.10.31**/  
– Fixed: Out-of-stock product affects product page query

/**1.1.3.2 – 2020.08.14**/  
– Updated: Compatible with WP5.5 and WC4.3

/**1.1.3.1 – 2020.04.23**/  
– Fixed: Conflict with other plugins using jquery accordion  
– Updated: Class support

/**1.1.3 – 2020.04.06**/  
– Updated: Support latest Shopify API version 2020-04  
– Optimized: Download images in the background

/**1.1.2 – 2020.03.24**/  
– Fixed: Download duplicated images  
– Fixed: Conflict usage of accordion  
– Updated: Compatible with WP5.4 and WC4.0  
– Updated: Class support  
– Updated: Support latest Shopify API version 2020-01  
– Improved: Import speed

/**1.1.1 – 2019.11.17**/  
– Removed: App data  
– Changed: Banner and logo

/**1.1.0 – 2019.11.13**/  
– Added: Shortcut to import products options  
– Added: Support WooCommerce 3.8

/**1.0.9.2 – 2019.10.24**/  
– Added: Function to download error images

/**1.0.9.1 – 2019.10.07**/  
– Updated: Premium URL

/**1.0.9 – 2019.09.27**/  
– Fixed: Reduce bad request rate  
– Fixed: Reduce error images rate  
– Updated: Able to view error images list  
– Optimized: Import speed

/**1.0.8 – 2019.08.07**/  
– Fixed: Conflict usage of accordion with other plugins or theme  
– Fixed: Error matching variation attributes when attribute name is not in English alphabet

/**1.0.7 – 2019.06.14**/  
– Added: Set request timeout  
– Added: Able to change the number of products per ajax request  
– Added: Import Products sequence

/**1.0.6 – 2019.05.15**/  
– Fixed: Some sites can not send API correctly

/**1.0.5 – 2019.05.08**/  
– Optimized: UX, UI  
– Optimized: Download product images

/**1.0.4 – 2019.04.18**/  
– Fixed: Problem downloading product images in the background

/**1.0.3 – 2019.04.10**/  
– Fixed: Error activating plugin

/**1.0.2 – 2019.04.05**/  
– Updated: Add usage guide video

/**1.0.1 – 2019.04.04**/  
– Updated: Make admin notices dismissible  
– Updated: Optimize UX

CVE-2022-44634: S2W – Import Shopify to WooCommerce

Unauth. Arbitrary File Download vulnerability in WatchTowerHQ plugin <= 3.6.15 on WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WatchTowerHQ Website Monitoring: Done Right  
Fed up with using tools that get sold to GoDaddy, lose their founding team, and slowly die?  
Tired of half-assed customer service that takes 72-144 hours to get a response?  
Looking for one solution to cut the costs of many tools?  
Our founding team is intact and not only focused on a world-class customer service experience, we’re focused on making WatchTowerHQ the best tool agencies and companies turn to when managing multiple websites.

**Automated Updates**

Set it and forget it by scheduling WordPress theme and plugin updates in advance. Every Tuesday at 7am? Not a problem with WatchTowerHQ

**Performance Insights**

Wondering why no one stays on your website? It’s probably because it’s slow…like Ford Fiesta slow. Figure out what you need to do to transform it into the Porsche it deserves to be.

**Daily Backups**

Take them daily, store them for a year. Don’t be at the mercy of the intern who accidentally deleted all of your blog posts from the last 6 years. Restore them quickly from one of your backups. Automate these as you would like, or take them manually.

**Historical Data Tracking**

A snapshot in time is great for some. You’re not some. Most are like you, they want to see how data looks over time. Screen shots from last May? Easy peasy. Site speed today relative to 2 months ago? One click.

**Notifications?**

We’ve got you covered. You control who gets alerts, which alerts they get, and when. All for you to control within your account.

**Domain and SSL Registration Monitoring**

The dreaded call from a client at 12:47am when they realize their domain has expired and a 12 year old North Korean is holding it hostage for 72 BTC. Don’t let that happen to you or your clients. Always know when your domain or SSL certificate are about to expire so you can proactively renew.

**Real-time Uptime Monitoring**

Kiss false positives good-bye. Set your limits, get updated when they’re triggered.

**One-Click Access**

Access your WordPress site or staging environment with one click right from the website dashboard.  
WatchTowerHQ is the most robust website monitoring and management tool. Increase operational efficiency by eliminating wasted time, improving your security, and taking preventive action.

**Custom User Roles**

Select from one of WatchTowerHQ’s user roles with granular permissions selection or create custom roles to fit your organizational needs.

Please note that WatchTowerHQ tracks information about your site including:  
\* Domain information (Registrar, DNS, SSL, Blacklist Status, Site & Proxy IP addresses)  
\* WordPress plugins, themes, and core  
\* Google Lighthouse & Google Analytics data  
\* Screen captures  
\* CSS & JavaScript code

After installing the WatchTowerHQ plugin you will need to do a few things to start monitoring your site.  
1\. Activate the WatchTowerHQ plugin.  
2\. Copy the access token found in the WatchTowerHQ Settings (you will need this in a future step).  
3\. Go to WatchTowerHQ to sign up for an account.  
4\. Fill in information about your websites – including the access token that you’d copied earlier.  
5\. Save the website’s information once complete. Happy monitoring!

If you’ve already signed up on WatchTowerHQ, you can also follow the alternative installation:  
1\. Download the WatchTowerHQ client from the Settings dropdown menu  
2\. Go to the Plugins tab in WordPress and select “Add New Plugin”.  
3\. Click the “Upload Plugin” button and upload the zip file you downloaded from WatchTowerHQ.  
4\. Click to activate the client and copy the access token from the WatchTowerHQ settings.  
5\. Go to the “Add new website” form found on the Websites page of your WatchTowerHQ dashboard.  
6\. Select WordPress as your CMS and paste the access token in the space.

**Can I have multiple environments on WatchTowerHQ?**

Yes, you can include your development and other environments to your WatchTowerHQ account for convenient one-click access.

**What does WatchTowerHQ do with my site’s information?**

The information tracked by WatchTowerHQ is used to provide real-time analytics and alerts on your site’s status including vulnerabilities, site downtime, and performance. As well as to notify you about WordPress-specific issues such as abandoned plugins.

**How much is WatchTowerHQ?**

To view our plans and get started with WatchTowerHQ check out our website.

**Can I limit access to other users?**

We have a number of standard roles, that many users requested, along with that we’ve created custom user roles. With custom user roles the options are endless to the access that you can give any one user. Custom User roles are included in all plans at no additional cost.

It's packed with features. One of the best tools available to manage my websites.

Read all 1 review

“WatchTowerHQ” is open source software. The following people have contributed to this plugin.

Contributors

*    watchtowerhq

**3.6.20**

*   remove unused code

**3.6.19**

*   db backup fix

**3.6.18**

*   WordPress 6.1.x compatibility declaration update

**3.6.17**

*   Fix security issue

**3.6.16**

*   Fix security issue

**3.6.15**

*   Fix theme updates info

**3.6.13**

*   Fix plugin updates info

**3.6.12**

*   Fix plugin slug

**3.6.11**

*   Fix plugin slug

**3.6.10**

*   WP 6.x compatibility declaration

**3.6.7**

*   WP 5.9.x compatibility declaration

**3.6.6**

*   fix open basedir warnings

**3.6.1**

*   Add endpoint for removing database backup file

**3.6.0**

*   updated action scheduler

**3.5.69**

*   WP Engine – exception

**3.5.67**

*   code improvements

**3.5.65**

*   code improvements
*   fetch info about debug log

**3.5.1**

*   update action scheduler

**3.5.0**

*   new backup system

**3.4.16**

*   WordPress 5.8 compatibility

**3.4.15**

*   fix UI issue

**3.4.13**

*   better settings UI

**3.4.12**

*   allow resume downloading backup
*   include backup integrity checksum to confirm error free transfer

**3.4.10**

*   code refactoring

**3.4.9**

*   update composer properties

**3.4.8**

*   WordPress 5.7 compatibility

**3.4.4**

*   new backup queue file limits

**3.4.2**

*   increase timeout

**3.4.0**

*   added ZipArchive fallback

**3.3.10**

*   fix curl timeout

**3.3.7**

*   minimum PHP version: 7.1

**3.3.6**

*   readme improvements

**3.3.0**

*   WordPress.org first release.
*   removed custom updates library

CVE-2022-44583: WatchTowerHQ

Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.

CVE-2022-41634: Media Library Folders

Debian Linux Security Advisory 5285-1 - Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5285-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
November 17, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : asterisk  
CVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301  
                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845  
                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608  
                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792  
                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651  
Debian Bug     : 1014998 1018073 1014976

Multiple security vulnerabilities have been found in Asterisk, an Open Source  
Private Branch Exchange. Buffer overflows and other programming errors could be  
exploited for information disclosure or the execution of arbitrary code.

Special care should be taken when upgrading to this new upstream release.  
Some configuration files and options have changed in order to remedy  
certain security vulnerabilities. Most notably the pjsip TLS listener only  
accepts TLSv1.3 connections in the default configuration now. This can be  
reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also  
https://issues.asterisk.org/jira/browse/ASTERISK-29017.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:16.28.0~dfsg-0+deb11u1.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr  
EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo  
k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ  
TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k  
jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV  
Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx  
OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH  
gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r  
foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw  
VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr  
VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7Aêjm  
-----END PGP SIGNATURE-----

Debian Security Advisory 5285-1

By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Study shows that 42% of people use their names in passwords

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Analysts Welcome NSA's Advice for Developers to Adopt Memory-Safe Languages

Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.

DGW Application 48.5.2718

*   Summary
*   Security changes

**Summary**

ID

Synopsis

DGW-14973

SIP: Support additional DHE ciphers

DGW-15007

User passwords are now securely hashed

DGW-15338

OWASP: Disable access to internal UART

DGW-15442

CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate

**Security changes  
**

**DGW-15442 - CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate**

An important security flaw was found in the OpenSSL library affecting DGW version 48.4 and below. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The CVE-2022-0778 has been addressed by upgrading the OpenSSL library to version 1.1.1n.

**DGW-15338 - OWASP: Disable access to internal UART**

Follow OWASP IoT Verification Requirement C.1:Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

**DGW-15007 - User passwords are now securely hashed**

User passwords are no longer saved in clear text, but instead saved in a cryptographically secure way, using the PBKDF2-HMAC-SHA256 hash algorithm.

Previously, when exporting a backup or configuration script, the passwords could be read in clear-text. Now, only the hashed passwords are visible.

A user cannot retrieve a forgotten password anymore, since it is impossible to reverse a hashed password into a clear-text password. In case all passwords are forgotten, a partial reset or factory reset can be done to restore to the factory initial passwords.

**DGW-14973 - SIP: Support additional DHE ciphers**

The SipEp service now supports the following DHE ciphers when using SIP over TLS:

*   TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384

**Copyright Notice**

Copyright 2022 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

www.media5corp.com

CVE-2022-43096: DGW Security Improvement Notes v48.5.2718 - Mediatrix

By Owais Sultan
The online world has never been risk-free and in 2022 the risks posed by cybercriminals are a threat…
This is a post from HackRead.com Read the original post: 3 Simple Yet Vital Tips to Stay Safe Online

The online world has never been risk-free and in 2022 the risks posed by cybercriminals are a threat to all internet users. As scams and phishing methods become more complex there is a greater need for the individual to adopt a range of best practices to protect their personal information. 

Cybercriminals can target both individuals and businesses using a wide range of methods: malware can be activated by clicking on malicious links; personal details can be harvested simply by visiting unsecure sites. 

Whether you like to surf the internet for fun and recreation, use it as a platform for online trading, or buy a range of products and services, staying safe online should always be a priority. It is a sobering fact that thousands of pieces of malware are created every day. 

Stay safer online by following these three top tips.

**Be vigilant when trading **

Millions of people around the world now regularly trade online and increasingly that trade is in cryptocurrencies such as Bitcoin. With a wide range of cryptocurrencies now available, it is more important than ever to check that the site you trade on is secure. 

As a rule, you should only trade on sites that feature the padlock icon in their web address, such as can be seen at OKX. This padlock icon proves that the site is secure and uses SSL encryption to ensure that any financial or personal information is transmitted safely. 

It is also good practice to look at reviews from trading platforms. Customer experiences of using these sites can be a valuable source of information on the security of a platform. When trading online or undertaking any type of internet purchasing activity, it is also important to remember not to use unsecured networks.

Surfing in coffee shops and shopping malls can be an attractive proposition but should be avoided whenever any transactions are taking place; otherwise, a cybercriminal could easily pose as a contact from a website you have visited – leaving you open to phishing attacks in the future.

**Use strong passwords**

Whilst most people realize the value of having strong passwords across all the sites they use, it is still surprising how many people do not adhere to this best practice. Many consumers use the same passwords across numerous platforms and sites or use exceptionally weak passwords that can be cracked with a minimum amount of effort. 

Today, search engines can suggest strong passwords and store them securely. This method can make consumers safer online whilst also freeing the need to memorize complex passwords. Put simply, if you use weak or repetitive passwords across sites, you are making it easy for a cybercriminal to harvest your personal details or hack your accounts. 

**Stay up to date**

Another common practice that tends to be overlooked by millions of web visitors is to keep applications and devices up to date with the latest firmware. It is vitally important to check for system and firmware updates on a regular basis. Whilst many updates offer stability improvements or bug fixes, they often contain the latest security updates that keep devices and applications more secure. 

Running software or operating systems that do not have the latest patches leaves them far more vulnerable to attack, so make a point of checking for updates across your devices on a regular basis to ensure that you benefit from the latest security features. 

In summary, follow the above advice to avoid falling victim to one (or more) of the 300,000 pieces of malware that are created every day.

1.  5 Online Fraud Fighting Tips for Novices
2.  Simple Tips to Protect Yourself From Being Catfished
3.  Simple Yet Vital Crypto Security Tips for Beginners and Pros
4.  How to protect your privacy on a smartphone: 12 tips & tricks

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

3 Simple Yet Vital Tips to Stay Safe Online

OPC Foundation Local Discovery Server (LDS) through 1.04.403.478 uses a hard-coded file path to a configuration file. This allows a normal user to create a malicious file that is loaded by LDS (running as a high-privilege user).

Title: Local Discovery Server (LDS) Description:

The Local Discovery Server (LDS) provides the necessary infrastructure to publicly expose the OPC UA Servers available on a given computer.

This download includes:

*   Windows based executable written in portable ANSI C
*   Revision history

Documentation can be found here.

**License**: OPC Redistributable Agreement of Use

*   Support
*   Roadmap
*   Tracking

**OPC Foundation membership** fees are used by the OPC Foundation for the continuous improvement of this application, which includes bug-fixes to the application and the Stack it uses, and adding new features as required by the continuous advancement of the OPC Specifications.

**Sample code/ Reference Implementations** are provided to OPC Foundation Members as-is for the primary purpose of demonstration and educational purposes. OPC Foundation Members may use the OPC Foundation deliverables for their Product development. (Members are not permitted to distribute OPC Foundation Source code (see OPC Foundation license agreement)

**Technical support** is provided in the form of sample code and synopsis documentation. The OPC Foundation will soon have a forum where the OPC Foundation members and community provide “support” for the advancement and adoption of OPC technology.

**Found a bug?** Please report any bugs to our Mantis system. Click the "Tracking" tab for a list of current work items. We welcome your bug-fixes and kindly ask you to submit them via Mantis.

**Have a Suggestion / Request for enhancement / New Features?** Please Join an OPC Foundation Member Working Group (details may be found here). You may also submit requests to the OPC Foundation email address of. All suggestions become the property of the OPC Foundation.

*   Linux version
*   Bug-fixes and enhancements as needed.

Access: Registered User

*   Downloads
*   Archives

Version

Status

Description

Date Posted  
(YYYY-MM-DD)

Download

1.04.405

Release

OPC UA Local Discovery Server MergeModule (ZIP/EXE)

2022-11-08

Icon

1.04.405

Release

OPC UA Local Discovery Server Installer (ZIP/EXE)

2022-11-08

Icon

Version

Status

Description

Date Posted  
(YYYY-MM-DD)

Download

1.04.403.476

Release

OPC UA Local Discovery Server Installer (ZIP/EXE)

2022-03-18

Icon

1.04.403.476

Release

OPC UA Local Discovery Server MergeModule (ZIP/EXE)

2022-03-18

Icon

1.03.401

Release

OPC UA Local Discovery Server (EXE/ZIP)

2019-06-18

Icon

1.03.401

Release

OPC UA Local Discovery Server MergeModule (MSM/ZIP)

2019-06-18

Icon

1.03.400

Release

OPC UA Local Discovery Server (MSI/ZIP)

2018-08-09

Icon

1.03.400

Release

OPC UA Local Discovery Server MergeModule (MSM/ZIP)

2018-08-09

Icon

Version 1.3, February 06, 2017, OPC Foundation

The terms and conditions of the Agreement apply to the Software Deliverables including without limitation any OPC Foundation:

*   updates,
*   supplements
*   Internet-based services, and
*   support services

for the Software Deliverables, unless OPC Foundation specifies that any other terms accompany such items, in which case the alternate terms specified by OPC Foundation would apply.

**BY USING THE SOURCE DELIVERABLES, YOU ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT, DO NOT USE THE SOFTWARE DELIVERABLES.**

If you comply with this Agreement, you have the rights below.

**1\. INSTALLATION AND USE RIGHTS.**

.  
You may install and use any number of copies of the Software Deliverables.

**2\. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.**

.  
Distributable Code. The Software Deliverables contain compiled code that you are permitted to distribute with programs you develop if you comply with the terms below.

1.  Right to Use and Distribute.

*   You may copy and distribute all files that are part of this Software Deliverables.
*   Third Party Distribution. You may permit distributors of your programs to copy and distribute the Software Deliverables as part of those programs.

3.  Distribution Requirements. For any Software Deliverables you distribute, you must:
4.  add significant primary functionality to it in your programs;
5.  require distributors and external end users to agree to terms that protect it at least as much as this Agreement;
6.  display your valid copyright notice on your programs; and
7.  indemnify, defend, and hold harmless the OPC Foundation from any claims, including attorneys’ fees, related to the distribution or use of your programs.
8.  Distribution Restrictions. You may not:

*   alter any copyright, trademark or patent notice in the Software Deliverables;
*   use the OPC Foundation’s trademarks in your programs’ names or in a way that suggests your programs come from or are endorsed by the OPC Foundation;
*   include Software Deliverables in malicious, deceptive or unlawful programs;
*   modify or distribute the source code of any Software Deliverables so that any part of it becomes subject to an Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that (1). the code be disclosed or distributed in source code form; or (2) permit or otherwise allow others to have the right to modify such Software Deliverables; or
*   create additional software components that directly link or directly load the Software Deliverables without accepting the corresponding source license for that Software Deliverable.

**3\. SCOPE OF LICENSE.**

The Software Deliverables are licensed, not sold. This Agreement only gives you some rights to use the Software Deliverables. The OPC Foundation reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this Agreement. In doing so, you must comply with any technical limitations in the Software Deliverables that only allow you to use it in certain ways. You may not:

*   disclose the results of any benchmark tests of the Software Deliverables to any third party without OPC Foundation’s prior written approval;
*   work around any technical limitations in the Software Deliverables;
*   reverse engineer, decompile or disassemble the Software Deliverables, except and only to the extent that applicable law expressly permits, despite this limitation;
*   make more copies of the Software Deliverables than specified in this Agreement or allowed by applicable law, despite this limitation;
*   publish the Software Deliverables for others to copy; or
*   rent, lease or lend the Software Deliverables.

**4\. BACKUP COPY.**

You may make one backup copy of the Software Deliverables. You may use such copy only to reinstall the Software.

**5\. DOCUMENTATION.**

Any person that has valid access to your computer or internal network may copy and use the documentation related to the Software Deliverables for your internal reference purposes.

**6\. EXPORT RESTRICTIONS.**

The Software Deliverables are subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Software Deliverables. These laws include restrictions on destinations, end users and end use.

**7\. SUPPORT SERVICES.**

Because you accept the Software3 Deliverables from OPC Foundation “as is,” OPC Foundation may not provide support services for it.

**8\. ENTIRE AGREEMENT.**

This Agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire Agreement for the Software Deliverables and support services.

**10\. LEGAL EFFECT**

This Agreement describes certain legal rights. You may have other rights under the laws of your country. This Agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

**11\. DISCLAIMER OF WARRANTY.**

THE SOFTWARE DELIVERABLES ARE LICENSED “AS-IS.” YOU BEAR THE RISK OF USING THE SPECIFICATIONS. THE OPC FOUNDATION MAKES NO WARRANTY OF ANY KIND, EXPRESSED OR IMPLIED, WITH REGARD TO THE SOFTWARE DELIVERABLES, INCLUDING BUT NOT LIMITED TO ANY WARRANTY OF TITLE OR OWNERSHIP, IMPLIED WARRANTY OF MERCHANTABILITY, OR WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE OR USE.YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS THAT THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, THE OPC FOUNDATION EXCLUDES THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.  
IN NO EVENT SHALL THE OPC FOUNDATION BE LIABLE FOR ERRORS CONTAINED IN THE SOURCE DELIVERABLES OR FOR DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, RELIANCE OR COVER DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, DATA, OR USE, INCURRED BY ANY USER OR ANY THIRD PARTY IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THE SOFTWARE DELIVERABLES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE USING THE SOFTWARE DELIVERABLES IS BORNE BY YOU AND/OR THE USER.

Tag

#ssl