There were four disclosures over the last two weeks, with one issue unfixed.
View this week’s vulnerable plugins list.
A weekly report on a Monday? Yeah. There were a lot of disclosures during the Thanksgiving week to sort through. Unfortunately, the vast majority of them were false positives and/or inaccurate and it took much longer for me to go over them than I anticipated.
Other Security News
The last two week have been full of security related news. First, RIPS Technologies revealed details behind a Remote Code Execution vulnerability via phar deserialization in phpBB, version 3.2.3 and earlier. phpBB has released v3.2.4 which fixes the vulnerability. Next, it was revealed the US Postal Service had exposed data from 60 million of its customers via a broken API. Not to be outdone, Marriott revealed that some 500 million customers records from its Starwood properties had been breached in September of this year. Researchers at Tenable revealed that a vulnerability in Zoom’s desktop conference application could allow an attacker to spoof messages, hijack screen controls and kick other attendees out of meetings. Zoom has released an update that corrects the vulnerability. Last, it was revealed that a popular npm package, event-stream, had had crypto-stealing code injected into it back in September.