Monthly Archives: January 2017

NVD

CVE-2016-10148

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.

NVD

CVE-2016-6896

Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

NVD

CVE-2016-10147

crypto/mcryptd.c in the Linux kernel before 4.8.15 allows local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5).

Avast

Shadow IT and "No" versus "Know"

In an information-based economy where bring-your-own devices (BYOD) and, increasingly, bring-your-own applications (BYOA), are the norm, IT groups are struggling to enable their organizations to be fast and flexible while protecting their digital assets. Shadow IT,  also  referred to as rogue or cockroach IT, emcompasses the devices, software, and services outside the ownership or control of IT groups. While Shadow IT poses a significant threat to the management and security of organizations, it can also be a source of speed, agility, and freedom to enable business success.