Security News

A remote code execution vulnerability addressed recently in Concrete5 exposed numerous websites to attacks, Edgescan reports. What Edgescan discovered was an RCE flaw in Concrete5 that could have allowed an attacker to inject a reverse shell into vulnerable web servers, thus taking full control of them.

The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. "Any of the 30,000 sites running the plugin are subject to any file being deleted, which includes the wp-config.php file, by unauthenticated site users."

While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place. According to Abnormal Security, cybercriminals are zeroing in on email clients that don't support modern authentication, such as mobile email clients; and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won't be subject to that protection.

Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover. The Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress.

A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup "Group," access the group's member details and even redirect Meetup payments to an attacker-owned PayPal account.

Two high-risk vulnerabilities in Meetup, a popular online service that's used to create groups that host local in-person events, allowed attackers to easily take over any Meetup group, access all group functions and assets, and redirect all Meetup payments/financial transactions to their PayPal account. What's more, attackers could create a worm to take over all meetings on the site - including private ones - and do all of these things.

The report reveals a specialized economy emerging around email account takeover and takes an in-depth look at the threats organizations face and the types of defense strategies you need to have in place. Report highlights More than one-third of the hijacked accounts analyzed by researchers had attackers dwelling in the account for more than one week.

Accertify announced the launch of a new solution designed to help organizations address the significant rise in fraudulent online account openings and account takeovers. Fraudulent account openings, using stolen or fake names and information to open an account, and account takeovers, defined as unauthorized access to accounts, are two types of identity theft that are concerningly on the rise.

About 8,000 users of F5 Networks' BIG-IP family of networking devices are still vulnerable to full system access and remote code-execution, despite a patch for a critical flaw being available for two weeks. Public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers, and ultimately active exploits.

A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers. The bug has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted.