Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

phpFK 9.2 Beta Cross Site Scripting / SQL Injection

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

Packet Storm
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#apple#google#ubuntu#linux#debian#cisco#java#php#perl#auth#ruby#firefox
CVE-2020-36741: class-wcmp-vendor-dashboard.php in dc-woocommerce-multi-vendor/tags/3.5.8/classes – WordPress Plugin Repository

The MultiVendorX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.7. This is due to missing or incorrect nonce validation on the submit_comment() function. This makes it possible for unauthenticated attackers to submit comments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-33298: MacOS - Agent

com.perimeter81.osx.HelperTool in Perimeter81 10.0.0.19 on macOS allows Local Privilege Escalation (to root) via shell metacharacters in usingCAPath.

CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet

A flaw null pointer dereference in the Linux kernel DECnet networking protocol was found. A remote user could use this flaw to crash the system.

GHSA-w5w5-2882-47pc: github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

# x/crisis does not charge ConstantFee ### Impact If a transaction is sent to the `x/crisis` module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the `x/crisis` module are affected on all versions of the Cosmos SDK. ### Details The `x/crisis` module is supposed to allow anyone to halt a chain in the event of a violated invariant by sending a `MsgVerifyInvariant` with the name of the invariant. Processing this message takes extra processing power hence a `ConstantFee` was introduced on the chain that is charged as extra from the reporter for the extra computational work. This is supposed to avert spammers on the chain making nodes do extra computations using this transaction. By not charging the `ConstantFee`, the transactions related to invariant checking are relatively cheaper compared to the computational need and other transactions. That said, the submitter still has to pay the transaction fee to put the transaction on the network, h...

Mobile Cyberattacks Soar, Especially Against Android Users

The number of malware samples is up as attackers aim to compromise users where they work and play: Their smartphones.

CVE-2023-26299: AMI UEFI Firmware June 2023 Security Update (TOCTOU)

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), which might allow arbitrary code execution. AMI has released updates to mitigate the potential vulnerability.

Apple, Google, and MOVEit Just Patched Serious Security Flaws

Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.

CVE-2023-28387: "NewsPicks" App uses a hard-coded API key for an external service

"NewsPicks" App for Android versions 10.4.5 and earlier and "NewsPicks" App for iOS versions 10.4.2 and earlier use hard-coded credentials, which may allow a local attacker to analyze data in the app and to obtain API key for an external service.