Aggregator

A vulnerability was found in Univention UCS 5.0. It has been declared as critical. This vulnerability affects the function check_univention_joinstatus. The manipulation leads to exposure of resource. This vulnerability was named CVE-2023-38994. The attack needs to be approached locally. There is no exploit available.

A vulnerability classified as problematic has been found in Delta Electronics InfraSuite Device Master up to 1.0.7. This affects an unknown part of the component UDP Packet Handler. The manipulation leads to path traversal: '.../...//'. This vulnerability is uniquely identified as CVE-2023-47279. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in LiveConfig up to 2.5.1. It has been classified as critical. This affects an unknown part of the file /static/ of the component Request Handler. The manipulation leads to path traversal. This vulnerability is uniquely identified as CVE-2024-22851. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Joel Starnes postMash Plugin up to 1.2.0 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-27196. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic was found in PayU India Plugin up to 3.8.2 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-27193. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in Veribo & Roland Murg WP Simple Booking Calendar Plugin up to 2.0.8.4 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2023-51525. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Klarna Payments for WooCommerce Plugin up to 3.2.4 on WordPress. Affected is an unknown function. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2024-30477. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability classified as critical was found in Averta Shortcodes and Extra Features for Phlox Theme up to 2.15.5 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authorization. This vulnerability is known as CVE-2024-31099. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Brice Capobianco Simple Revisions Delete Plugin up to 1.5.3 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2024-30482. The attack may be launched remotely. There is no exploit available.

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to

MITRE’s Attack Flow project aims to translate complex cyber operations into a structured language. By describing how adversaries sequence and combine offensive techniques to reach their objectives, Attack Flow offers defenders, analysts, and decision-makers a tool to see the bigger picture. Threat intelligence Cyber threat intel (CTI) teams can use Attack Flow to show how attackers behave, not just what tools they use. It tracks activity across incidents, campaigns, or threat groups. Because it’s machine-readable, … More →

The post Attack Flow: Learn how cyber adversaries combine and sequence offensive techniques appeared first on Help Net Security.

Axing Security Clearance Will Undermine Talent Pipeline, Chill Vendor Collaboration
Trump’s executive order revoking security clearances from SentinelOne over its hiring of former CISA head Chris Krebs is fueling fear in the cybersecurity sector. Experts warn the decision could hinder cybersecurity talent recruitment and public-private partnerships essential to national defense.

Threat Actors Deploy Obfuscation Tactics to Targets Windows Machines
Likely Chinese nation-state hackers are targeting European companies using previously unseen malware backdoor variants with advanced network tunneling and evasion capabilities for data theft. Brussels-based security firm Nviso links the campaign to a threat actor tracked as UNC5221.

Ransomware Gang Qilin Claims to Have 42GB of Practice's Stolen Data
Ransomware group Qilin posted at least 42 gigabytes of data stolen from a Texas pediatric orthopedic practice for sale on its darkweb leak site in February. In recent days, Central Texas Pediatric Orthopedics began notifying more than 140,000 people that their data was compromised by hackers.

Malware Hides in Memory, Evades Detection by Endpoint Tools
A Chinese state-backed hacking group tracked as UNC5174 relaunched its operations after a year of silence with a campaign using a memory-only remote access Trojan that evades traditional detection mechanisms, according to new research from cybersecurity firm Sysdig.

Complaint Says Russia-Based IP Address Attempted to Gain Access as DOGE Took Data
A whistleblower has accused staffers from the Department of Government Efficiency of attempting to cover their tracks while collecting troves of sensitive data from the independent labor agency's computer systems, raising significant security concerns.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Michael DePlante (@izobashi) of Trend Zero Day Initiative' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Paolo `paupu` Cavaglia of Shielder, Abdel Adim `smaury` Oisfi of Shielder and Nicola `fromVeeko` Davico of Shielder' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2025-04-16, 93 days ago. The vendor is given until 2025-08-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.