April 4, 2024 at 08:47AM The Cybersecurity and Infrastructure Security Agency is promoting the Secure by Design initiative, advising companies to intensify their efforts in eliminating SQL injection vulnerabilities. As part of its Secure by Design initiative, the Cybersecurity and Infrastructure Security Agency has urged companies to intensify their efforts to eliminate SQL injection vulnerabilities. … Read more
April 3, 2024 at 02:28PM LayerSlider, a popular WordPress plugin with over one million users, has been found to be vulnerable to unauthenticated SQL injection, allowing attackers to extract sensitive data from websites. Researcher AmrAwad received a $5,500 bounty for reporting this critical flaw, which has been addressed by the release of version 7.10.1, requiring … Read more
April 3, 2024 at 09:18AM A critical SQL injection vulnerability in the LayerSlider plugin, tracked as CVE-2024-2879 with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from website databases. The issue was reported through Defiant’s bug bounty program, and a $5,500 reward was given to the reporting researcher. Users are advised … Read more
April 3, 2024 at 02:03AM A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities … Read more
March 26, 2024 at 12:52PM The FBI and CISA issued a warning to software vendors about the prevalence of SQL injection vulnerabilities. They emphasized the need for formal code reviews and secure-by-design programming practices to eradicate these vulnerabilities from the development process. They also urged vendors to use parameterized queries and be transparent in disclosing … Read more
March 26, 2024 at 07:18AM CISA and the FBI advise organizations to review and eliminate SQL injection vulnerabilities in their commercial software, as such flaws pose a significant security risk. They urge technology manufacturers to conduct a formal code review and embrace secure-by-design principles in software development to prevent malicious exploitation and enhance cybersecurity. From … Read more
March 25, 2024 at 02:28PM CISA and FBI advised technology manufacturing executives to conduct formal software reviews and implement mitigations to eliminate SQL injection (SQLi) vulnerabilities. SQL injection attacks enable unauthorized access to sensitive data and can lead to data breaches and system takeover. They recommend using parameterized queries with prepared statements as a secure … Read more
March 21, 2024 at 11:18AM Security researchers have released a PoC exploit for a critical SQL injection vulnerability in Fortinet’s FortiClient EMS. Tracked as CVE-2023-48788, it impacts versions 7.0 and 7.2, allowing unauthenticated threat actors to gain RCE with SYSTEM privileges. With Horizon3’s PoC, attackers can modify it to use Microsoft SQL Server xp_cmdshell for … Read more
March 14, 2024 at 01:21AM Fortinet warns of critical flaw (CVE-2023-48788) in FortiClientEMS and two other bugs in FortiOS and FortiProxy, with a 9.3 CVSS score. Exploitation could result in unauthorized code execution. Upgrade affected versions as per the advisory. No current active exploitation, but immediate patching is crucial due to prior abuse of unpatched … Read more
February 27, 2024 at 01:09AM A critical security flaw (CVE-2024-1071) has been discovered in the Ultimate Member WordPress plugin, potentially allowing attackers to exploit SQL injection and extract sensitive data from the database. The issue has been addressed in version 2.8.3, following responsible disclosure. Users are strongly advised to update the plugin to mitigate potential … Read more