Security News

Two severe security flaws have been discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "Master" node that deploys the changes to a target group of "Minions" en masse.

Two severe security flaws have been discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "Master" node that deploys the changes to a target group of "Minions" en masse.

The Salt community has been aware of a critical vulnerability in Salt Master versions since late last week. "More warnings appeared early this week. F-Secure's Mikko Hypponen tweeted on Monday, 27 April:"The vulnerability in Salt Master 3000.1 has been rated with a CVSS of 10.0"".

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more. The flaws range in seriousness and impact, but could allow third-party attackers to steal personal information or target the financial payment methods that are tied to the platforms.

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question - LearnPress, LearnDash, and LifterLMS - have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges.

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question - LearnPress, LearnDash, and LifterLMS - have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges.

A critical GitLab vulnerability, which could be leveraged by a remote attacker to execute code, recently netted a researcher a $20,000 bug-bounty award. The flaw was reported to GitLab by software developer William Bowling via the HackerOne bug bounty platform on March 23.

A researcher has earned $20,000 from GitLab after reporting a critical vulnerability that could have been exploited to obtain sensitive information from a server and to execute arbitrary code. The vulnerability was discovered in March by William Bowling, who noticed that an attacker could obtain arbitrary files from a server when moving an issue from one GitLab project to another.

Adobe has pushed out security updates fixing critical flaws in Magento Commerce, Open Source Enterprise and Community editions, Adobe Illustrator 2020 for Windows, and Adobe Bridge for Windows. The Adobe Illustrator vector graphics editor has been updated to close five critical memory corruption vulnerabilities that could be exploited for arbitrary code execution.

Updates released by Adobe on Tuesday for the Magento Commerce and Open Source editions address multiple critical severity vulnerabilities that could lead to arbitrary code execution. A total of six critical vulnerabilities were patched in the popular e-commerce platform, none of which requires authentication for a successful exploitation.