VERT’s Cybersecurity News for the Week of August 29, 2022
All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of August 29th, 2022. I’ve also included some comments on these stories.
WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites
The WordPress team this week announced the release of version 6.0.2 of the content management system (CMS), notes Security Week, with patches for three security bugs, including a high-severity SQL injection vulnerability.
“The content management system is subject to a SQL injection vulnerability. The issue exists in the WordPress Link functionality and usually affects older versions of WordPress. The functionality is disabled in newer versions of WordPress by default. The vulnerability exists because of improper sanitization of the limit argument of the link retrieval query in the get_bookmarks function. This vulnerability is patched in WordPress 6.0.2 and later.”
Over 1,000 iOS apps found exposing hardcoded AWS credentials
Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable, Bleeping Computer reports.
“Both iOS and Android apps have exposed AWS credentials. With these credentials an attacker could gain access to databases or other services. It was estimated that 77% of the applications contained AWS tokens that could be used to access private cloud services. The security researchers noted that about 874 applications contained valid credentials that could be used to access database records that potentially contain sensitive personal information.”
Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App
Microsoft on Wednesday disclosed details of a now-patched “high severity vulnerability” in the TikTok app for Android that could let attackers take over accounts when victims clicked on a malicious link, explains The Hacker News.
“The TikTok app for Android is subject to an account hijack vulnerability. An attacker could gain access to the user’s profile and sensitive information. To exploit this issue an attacker needed to convince a user to open a malicious link. This issue is tracked as CVE-2022-28799. This vulnerability was resolved in version 23.7.3 and later.”
PowerCMS XMLRPC API vulnerable to command injection
Overview PowerCMS XMLRPC API contains a command injection vulnerability, according to the Japan Vulnerability Notes. Products affected include PowerCMS 6.021 and earlier (PowerCMS 6 Series), and PowerCMS 5.21 and earlier (PowerCMS 5 Series).
“The XMLRPC API in PowerCMS is subject to a command injection vulnerability. An attacker could execute code upon successful exploitation of this vulnerability. To exploit this issue an attacker needs to specially craft a HTTP POST request to the PowerCMS XMLRPC API. Patches and mitigations have been released.
Affected Versions:
PowerCMS 6.021 and earlier
PowerCMS 5.21 and earlier
PowerCMS 4.51 and earlier
PowerCMS 3.x and earlier #end of life”
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.