Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-43986: [CVE-2023-43986] Improper neutralization of SQL parameter in DM Concept - Advanced configurator for customized product module for PrestaShop

DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken.

CVE
Open in Source
#sql#vulnerability#web#php#perl#auth
CVE-2023-45381: [CVE-2023-45381] Improper neutralization of SQL parameter in WebshopWorks Creative Popup module for PrestaShop

In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().`

CVE-2023-45820: Directus crashes on invalid WebSocket message

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has been addressed in version 10.6.2. Users are advised to upgrade. Users unable to upgrade should avoid using websockets.

Human Error: Casio ClassPad Data Breach Impacting 148 Countries

By Waqas If you are a Casio ClassPad customer, it is strongly recommended that you change your ClassPad password immediately to protect yourself. This is a post from HackRead.com Read the original post: Human Error: Casio ClassPad Data Breach Impacting 148 Countries

More helpful resources for users of all skill levels to help you Take a Security Action

Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.

IT administrators' passwords are awful too

Categories: Business Categories: News Tags: IT administrators Tags: admin Tags: password Tags: qwerty Tags: 123456 Are IT administrators any better at coming up with decent passwords? Research says they aren't. (Read more...) The post IT administrators' passwords are awful too appeared first on Malwarebytes Labs.

CVE-2023-45281: Yamcs v5.8.6 Vulnerability Assessment

An issue in Yamcs 5.8.6 allows attackers to obtain the session cookie via upload of crafted HTML file.

Why Do We Need Real-World Context to Prioritize CVEs?

Without the proper context, organizations waste time mitigating software flaws that won't likely affect their systems.

APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

GHSA-v65r-p3vv-jjfv: TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin

### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations) (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native [DOMParser API](https://developer.mozilla.org/en-US/docs/Web/API/DOMParser) (TinyMCE 6) or the [SaxParser API](https://www.tiny.cloud/docs/api/tinymce.html/tinymce.html.saxparser/) (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. ​This vulnerability also impacts these related TinyMCE APIs and plugins:​ * [`tinymce.Editor.getContent({ format: 'raw' })`](https://tiny.cloud/docs/tinymce...