Security News

Silver Peak's Unity Orchestrator, a software-defined WAN management platform, suffers from three remote code-execution security bugs that can be chained together to allow network takeover by unauthenticated attackers. The issues are present In Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+. Orchestrator instances that are hosted by customers - on-premise or in a public cloud provider - are affected, Silver Peak said.

"The Ultimate Member plugin is designed to provide administrators with features for user registration and account creation. The disclosed vulnerabilities included unauthenticated privilege escalation by sending arbitrary data in the user meta keys during registration or supplying an incorrect role parameter exposed by a lack of user input filtering. The third disclosed vulnerability involves gaining authenticated privilege escalation by abusing the profile update feature, where attackers can assign secondary admin roles to users without appropriate checks." "An attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges," according to Wordfence.

IoT devices are now responsible for 32.72 percent of all infections observed in mobile and Wi-Fi networks - up from 16.17 percent in 2019. Researchers with Nokia's Threat Intelligence Lab said, in the Threat Intelligence Report 2020 released this week, that they believe that number of IoT infections will continue to grow "Dramatically" as connected devices continue to populate in homes and enterprise settings alike.

Researchers have disclosed two flaws in Microsoft's Azure web hosting application service, App Services, which if exploited could enable an attacker to take over administrative servers. Azure App Services is an HTTP-based service for hosting web applications, and is available in both Microsoft Azure Cloud and on-premise installations.

QNAP has addressed two critical security vulnerabilities in the Helpdesk app that could enable potential attackers to take over unpatched QNAP network-attached storage devices. Helpdesk is the built-in app that comes with QNAP's NAS devices and allows admins to submit help requests to the QNAP support team over the Internet.

Three vulnerabilities affecting HP Device Manager, an application for remote management of HP Thin Client devices, could be chained together to achieve unauthenticated remote command execution as SYSTEM, security researcher Nick Bloor has found. HP Device Manager allows IT admins to remotely deploy, update, and manage thousands of HP Thin Clients through a single console.

Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. The upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator's session information - all of which are paths to complete takeover of a site.

In 2019 alone, ATO attacks cost consumers and e-commerce retailers a whopping $16.9 billion in losses. To be clear, ATO fraud isn't new, it's been a concern for online retailers for a decade.

ATO is the weapon of choice for fraudsters leading up to the holiday shopping season, new data from Sift shows, and consumers place account security burden on businesses. Account takeover fraud attempts to steal from consumers and e-commerce merchants swelled 282% between Q2 2019 to Q2 2020, new data from digital trust and safety provider Sift finds.

A vulnerability in Instagram allowed an attacker to take over an Instagram account and turn the victim's phone into a spying tool by simply sending a malicious image by any media exchange platform. Check Point Research decided to examine Instagram because of its size and popularity.