#ssrf

Google WordPress Plug-in Bug Allows AWS Metadata Theft

A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

2 years ago

DARKReading

Open in Source

#vulnerability #web #google #amazon #git #wordpress #intel #rce #perl #ssrf #aws #auth #chrome

Lego's Bricklink steps on cross site scripting blocks

Categories: News Tags: lego Tags: bricklink Tags: cross site scripting Tags: bug Tags: flaw We take a look at how Lego's Bricklink service was potentially vulnerable to certain types of XSS attack. (Read more...) The post Lego's Bricklink steps on cross site scripting blocks appeared first on Malwarebytes Labs.

2 years ago

Malwarebytes

Open in Source

#xss #vulnerability #web #amazon #java #ssrf

Ransomware Attackers Bypass Microsoft's ProxyNotShell Mitigations With Fresh Exploit

The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers.

2 years ago

DARKReading

Open in Source

#vulnerability #web #microsoft #git #rce #ssrf

Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,

2 years ago

The Hacker News

Open in Source

#vulnerability #web #windows #microsoft #git #rce #ssrf #auth #zero_day #The Hacker News

CVE-2022-47635: Changelogs - Documentation - Confluence

Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php.

2 years ago

CVE

Open in Source

#php #ssrf

CVE-2022-43887: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450.

2 years ago

CVE

Open in Source

#sql #xss #vulnerability #web #google #dos #apache #redis #nodejs #js #java #ssrf #auth #ibm

Safeurl HTTP library brings SSRF protection to Go applications

Prizes offered to anyone who can bypass the library and capture the flag

2 years ago

PortSwigger

Open in Source

#vulnerability #web #ssrf

CVE-2022-47514: XML-RPC.Net - Downloads

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

2 years ago

CVE

Open in Source

#vulnerability #web #windows #microsoft #linux #c++#ssrf #auth

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

2 years ago

PortSwigger

Open in Source

#sql #csrf #vulnerability #web #ios #android #google #microsoft #apache #nodejs #js #git #java #kubernetes #intel #ssrf #aws #log4j #auth #zero_day #ssl

CVE-2022-42343: Adobe Security Bulletin

Adobe Campaign version 7.3.1 (and earlier) and 8.3.9 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

2 years ago

CVE

Open in Source

#vulnerability #windows #linux #ssrf #auth