CISA Warns of Renewed Emotet Activity

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-26876
PUBLISHED: 2020-10-07

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-js…

CVE-2020-17551
PUBLISHED: 2020-10-07

ImpressCMS 1.4.0 is affected by XSS in modules/system/admin.php which may result in arbitrary remote code execution.

CVE-2020-26870
PUBLISHED: 2020-10-07

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

CVE-2020-26596
PUBLISHED: 2020-10-07

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widg…

CVE-2020-13342
PUBLISHED: 2020-10-07

An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email

Read More HERE

Leave a Reply