Full Disclosure

DefenseCode ThunderScan SAST Advisory: 53+ WordPress plugins by BestWebSoft Multiple Cross-Site Scripting (XSS) Vulnerabilities

Leave a comment

Posted by DefenseCode on Apr 12

DefenseCode ThunderScan SAST Advisory
53+ WordPress plugins by BestWebSoft Multiple
Cross-Site Scripting (XSS) Vulnerabilities

Advisory ID: DC-2017-02-014
Software: 53+ WordPress plugins by BestWebSoft
Software Language: PHP
Version: Various
Vendor Status: Vendor contacted, vulnerabilities confirmed
Release Date: 20170412
Risk: Medium

# Advisory Overview

BestWebSoft published more than 50 plugins to the wordpress.org site….

Full Disclosure

DefenseCode Security Advisory: Magento 0day Arbitrary File Upload Vulnerability (Remote Code Execution, CSRF)

Leave a comment

Posted by DefenseCode on Apr 12

DefenseCode Security Advisory
Magento 0day Arbitrary File Upload Vulnerability
(Remote Code Execution, CSRF)

Advisory ID: DC-2017-04-003
Software: Magento CE
Software Language: PHP
Version: 2.1.6 and below
Vendor Status: Vendor contacted / Not fixed
Release Date: 20170413
Risk: High

# Advisory Overview

During the security audit of Magento Community Edition, a highly popular
e-commerce platform, a high risk…

Full Disclosure

Proxifier for Mac 2.19 local root privesc

Leave a comment

Posted by Mark Wadham on Apr 12

With CVE-2017-7643 I disclosed a command injection vulnerablity in the
KLoader
binary that ships with Proxifier <= 2.18.

Unfortunately 2.19 is also vulnerable to a slightly different attack
that
yields the same result.

When Proxifier is first run, if the KLoader binary is not suid root it
gets
executed as root by Proxifier.app (the user is prompted to enter an
admin
password). The KLoader binary will then make itself suid root so that…

Software and Security Information