Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...
User Rank: Apprentice
12/24/2014 | 1:00:21 AM
Under PCI DSS a cash register in New York can talk to a cash register in San Deigo. Why? Why are all the networks logically flat? For that matter, why is any data stored as close to the entry ways into the network as they are today? You wouldn't store the keys to your building in the lobby, why are you storing your password in what is essentially the lobby to the Internet?
The entire model is broken. Software vendors who create the whiz-bang tools do so in a way where they have to be the center of your universe. When they are not, they implement standards in such a way that dangerous decisions have to be made if a company is trying to build a system.
And speaking of building a system, what is wrong with custom code? Does you house have all the cookie-cutter pre-built options? Did you add on to it? Change the wallpaper? What about redoing the electricty to support networking and the upgraded air conditioner? Then why are you still insisting that you open the COTS box and it work without doing the same? You are building systems like they built houses in the post-World War II era. Pre-fabricated and thrown together as quickly as possible without regard for what would happen with the first really big storm, flood, or other disaster. Like the ol' saltbox built in 1950, you either have to spend tons of money to repair and maintain it while it is being attacked or you have to spend money to tear it down and rebuild it.
Why do it right when you can do it wrong for twice the price?!
You think I'm kidding? Ask Target and Home Depot how much damage would have been done if they isolated their point-of-sale networks from each other. What about Sony? How much damage was done because they left their open mail by the front door for the first person to walk in to take it from them?
Saying that PCI DSS can help stop breaches is like saying the TSA will stop terrorism on an airplane. Just like Haniford Foods was PCI DSS certified, the TSA did not stop the gun-running scheme between Atlanta and New York. It only came to light when the Brooklyn DA was investigating something else... sort of like how Neiman-Marcus found its problems.
Security is NOT a checklist or a product. It is the result of a risk assessment to determine the risks and their mitigations. Security is a process, just like the physical security that every business maintains. Until these rank amatures understand this, there is no reason to think that PCI DSS in any of its forms will be nothing more than a band aid on a gushing wound!