Drupal fixed a handful of issues in version 7 and 8 of the content management system core engine that could have led to cache poisoning, social engineering attacks, and a denial of service condition.
Tag Archives: CMS
Joomla Update Fixes Two Critical Issues, 2FA Error
Joomla fixed two critical issues in the content management system and is strongly encouraging users to update their sites immediately.
Drupal Patches Remote Code Execution Vulnerabilities in Three Modules
Developers with the open source content management framework Drupal patched a series of highly critical remote code execution bugs in three separate modules today. If exploited, the bugs could let an attacker take over any site running the modules.
Drupal Update Fixes 10 Vulnerabilities, One Critical
Drupal addressed 10 vulnerabilities in the CMS this week, including a critical access bypass issue and another issue that could lead to remote code execution.
WordPress 4.4.1 Update Resolves XSS Vulnerability
Developers at WordPress are warning users of the content management system to download and apply the most recent update, pushed yesterday, to address a cross-site scripting vulnerability.
Attacks Ramp Up Against Joomla Zero Day
Researchers at Sucuri said attacks against a zero-day vulnerability in Joomla, which has been patched, have accelerated since the weekend.
Vulnerabilities Identified in Several WordPress Plugins
Researchers have identified a handful of vulnerabilities present in three different plugins used by the content management system WordPress.
XSS Vulnerability In WordPress – Update Now
The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.
According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“
And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.
WordPress Patches Critical XSS Vulnerability in All Builds
WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting (XSS) vulnerability that could ultimately lead to site compromise.
WordPress: Compromised Sites Leaking User Credentials
Only recently there were several reports of WordPress plugins and themes with vulnerabilities: Last week’s XSS vulnerability, multiple ones in the eCommerce shopping card plugin The CardPress, and a Zero Day exploit in WordPress 4.2.1.
This week it seems like there is yet another one. According to researchers at Zscaler there are a couple of compromised WordPress pages out there that are all leaking credentials. “The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain “conyouse.com” which is collecting all the credentials from these compromised sites”, the page reads.
They conclude that WordPress, as one of the most popular Content Management Systems and blogging platforms, remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post WordPress: Compromised Sites Leaking User Credentials appeared first on Avira Blog.