SQL injection attack | Breaking Cybersecurity News | The Hacker News

Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database," the company  said  in an advisory released on June 9, 2023. "An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content." The flaws, which impact all versions of the service, have been addressed in MOVEit Transfer versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All  MOVEit Cloud instances  have been fully patched. Cybersecurity firm Huntress has been  credited  with d

After releasing a patch for a critical zero-day remote code execution vulnerability late last month, vBulletin has recently published a new security patch update that addresses 3 more high-severity vulnerabilities in its forum software. If left unpatched, the reported security vulnerabilities, which affect vBulletin 5.5.4 and prior versions, could eventually allow remote attackers to take complete control over targeted web servers and steal sensitive user information. Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers over 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. Discovered by application security researcher Egidio Romano, the first vulnerability, tracked as CVE-2019-17132 , is a remote code execution flaw, while the other two are SQL injection issues, both assigned a single ID as CVE-2019-17271 . vBulletin RCE and SQLi Flaws The RCE flaw resides in the w

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

If your e-commerce website runs on the OXID eShop platform , you need to update it immediately to prevent your site from becoming compromised. Cybersecurity researchers have discovered a pair of critical vulnerabilities in OXID eShop e-commerce software that could allow unauthenticated attackers to take full control over vulnerable eCommerce websites remotely in less than a few seconds. OXID eShop is one of the leading German e-commerce shop software solutions whose enterprise edition is being used by industry leaders including Mercedes, BitBurger, and Edeka. Security researchers at RIPS Technologies GmbH shared their latest findings with The Hacker News, detailing about two critical security vulnerabilities that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software. It should be noted that absolutely no interaction between the attacker and the victim is necessary to execute both vulnerabilities, and the flaws work against the def

A new powerful hacking tool recently introduced in an underground forum is making rounds these days, allowing anyone to rapidly conduct website scans for SQL injection flaws on a massive scale — all controlled from a smartphone using the Telegram messaging application. Dubbed Katyusha Scanner , the fully automated powerful SQLi vulnerability scanner was first surfaced in April this year when a Russian-speaking individual published it on a popular hacking forum. Researchers at Recorded Future's Insikt Group threat intelligence division found this tool for sale on an underground hacking forum for just $500. Users can even rent the Katyusha Scanner tool for $200. According to the researchers, Katyusha Scanner is a web-based tool that's a combination of Arachni Scanner and a basic SQL Injection exploitation tool that allows users to automatically identify SQLi vulnerable sites and then exploits it to take over its databases. Arachni is an open source vulnerability scann

A SQL Injection vulnerability has been discovered in one of the most popular Wordpress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely. The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related to the number of users online on their sites, the number of visits and visitors, and page statistics. Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website's database and possibly gain unauthorized access to websites. SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of

Next time when you hear an announcement in the flight, " Ladies and gentlemen, this is your captain speaking… ," the chances are that the announcement is coming from a hacker controlling your flight. Dangerous vulnerabilities in an in-flight entertainment system used by the leading airlines, including Emirates, United, American Airlines, Virgin, and Qatar, could let hackers hijack several flight systems and even take control of the plane. According to security researchers from IOActive , the security vulnerabilities resides in the Panasonic Avionics In-Flight Entertainment (IFE) system used in planes run by 13 major airlines, providing a gateway for hackers which is absolutely terrifying. The security holes could be exploited by hackers that could allow them to spoof flight information like map routes, speed statistics, and altitude values, and steal credit card information. IOActive's Ruben Santamarta managed to "hijack" in-flight displays to change info

A critical vulnerability has been discovered in one of the most popular plugins of the the WordPress content management platform that puts more than one Million websites at risks of being completely hijacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin called Wettable Powder Slimstat (WP-Slimstat) . While there are more than 70 million websites on the Internet currently running WordPress, more than 1.3 Million of them use the 'WP-Slimstat' Plugin , making it one of the popular plugins of WordPress for powerful real-time web analytic. All the WP-Slimstat versions prior to the latest release of Slimstat 3.9.6 contain an easily guessable 'secret' key which is used to sign data sent to and from the visiting end-user computers, explained in a blog post published Tuesday by Web security firm Sucuri. Once the weak 'secret' key is break, an attacker could perform an SQL injection attack against the target website