Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-48833: Time Slots Booking Calendar | PHPJabbers

A lack of rate limiting in pjActionAJaxSend in Time Slots Booking Calendar 4.0 allows attackers to cause resource exhaustion.

CVE
Open in Source
#web#ios#android#php#auth
CVE-2023-48831: Availability Booking Calendar | Calendar Booking System

A lack of rate limiting in pjActionAJaxSend in Availability Booking Calendar 5.0 allows attackers to cause resource exhaustion.

CVE-2023-48841: Appointment Scheduler | Appointment Scheduling Software

Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action.

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

CVE-2023-48825: PHPJabbers Availability Booking Calendar 5.0 HTML Injection ≈ Packet Storm

Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.

CVE-2023-48172: Shuttle Booking System | PHPJabbers

A Cross Site Scripting (XSS) vulnerability in Shuttle Booking Software 2.0 allows a remote attacker to inject JavaScript via the name, description, title, or address parameter to index.php.

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021. Named after a nocturnal female spirit of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB said in a report

Meta Launches Default End-to-End Encryption for Chats and Calls on Messenger

Meta has officially begun to roll out support for end-to-end encryption (E2EE) in Messenger for personal calls and one-to-one personal messages by default in what it called the "most significant milestone yet." "This isn't a routine security update: we rebuilt the app from the ground up, in close consultation with privacy and safety experts," Loredana Crisan, vice president of

CVE-2023-5761: Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 - Unauthenticated SQL Injection — Wordfence Intelligence

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2023-5713: System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_option_value) — Wordfence Intelligence

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values.