Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A zero-day vulnerability, denoted by the CVE identifier CVE-2023-30777, exposes a dangerous reflected cross-site scripting (XSS) flaw. This high-severity vulnerability has been discovered within the WordPress plugin (Advanced Custom Fields (ACF) and Advanced Custom Fields Pro). The CVE-2023-30777 exposes over 2 million installations to security risks, triggering widespread concern and anxiety among website owners and administrators.

The Smashing Security podcast recently invited our Director of Product Management, John Stock, on to discuss our Vulnerability Prediction Technology (VPT) tool, the security challenges brought by remote work, and the importance of balancing risk management with business goals.

On May 31, 2023, Progress released a security advisory warning customers of a critical zero-day vulnerability being actively exploited in MOVEit Transfer, a managed file transfer (MFT) solution. The exploitation of this vulnerability could lead to escalated privileges and potential unauthorized access to an environment, allowing threat actors to steal data and extort organizations.

On May 31st, 2023, a working exploit has been publicly released for a remote code execution (RCE) vulnerability (CVE-2023-33733), impacting ReportLab PDF Toolkit python libraries of versions prior to 3.6.13. The researcher of the POC has previously contacted ReportLab in April 2023, detailing this vulnerability and ReportLab has released a fix on April 27th, 2023, through ReportLab 3.6.13.

A new critical zero-day vulnerability in the MOVEit Transfer software is being actively exploited by attackers to exfiltrate data from organizations. MOVEit Transfer is a managed file transfer (MFT) software, developed by Progress, designed to provide organizations a way to securely transfer files, which can be implemented on-premise or as a cloud SaaS platform. According to BleepingComputer, attackers have been actively exploiting MOVEit Transfer to download data from organizations.

Jetpack, an extremely popular WordPress plugin that provides a variety of functions including security features for around five million websites, has received a critical security update following the discovery of a bug that has lurked unnoticed since 2012. Jetpack's maintainers, Automattic, announced on Tuesday that it had worked closely with the WordPress security team to push out an automatic patch for every version of Jetpack since 2.0.

Lightweight Directory Access Protocol (LDAP) is an authentication mechanism for securing web applications. LDAP is popular because it's lightweight and scales easily — features that appeal to developers, but mean that LDAP databases often store large amounts of valuable information. This makes them an attractive target for attackers. Applications construct LDAP queries derived from user inputs to access and manipulate the information stored in LDAP databases.

Large language models have gained immense popularity among web users today owing to the generation of human-like text responses. However, as with any technology, LLM is not without its risks and safety issues.

The AWS cloud platform is one of the most used cloud platforms in the world. It gives companies a level of flexibility with its myriad of uses but it is not without its own challenges, namely, maintaining security.

Designed to support the digital resiliency of financial institutions in the EU and UK, the Digital Operational Resilience Act is set to go in effect in January 2025. In this blog, we take a deep dive into what organizations must do in order to be compliant with this new legislation. Digital resiliency is one of the financial sector's most significant challenges today.