[nvpn download]Weekly threat roundup: DuckDuckGo, Chrome, Cisco

  Tracked as CVE-2021-21193, the use-after-free memory bug is the third Chrome flaw to be discovered in recent weeks for which there’s been an exploit circulating online.

  Google has patched the flaw alongside five bugs overall, including two further highly-rated vulnerabilities tracked as CVE-2021-21191 and CVE-2021-21192. The first of these is another use-after-free flaw in the WebRTC component, used for audio streaming, while the second is a heap buffer overflow vulnerability present in tab groups.

  An XSS flaw in the Elementor WordPress plugin, actively installed on more than 7 million websites, may have allowed unauthorised users to access the Elementor editor to take control of targeted sites.

  Elementor, which is one of the largest free WordPress site builders, was patched by its developers after the Wordfence security team alerted them to the presence of the medium-rated XSS vulnerability. If exploited, the flaw may have allowed hackers to infiltrate Elementor to add malicious JavaScript to posts, and then execute this code to seize control of the site if the victim held administrative privileges.

  Meanwhile, researchers with PatchStack identified a remote code execution vulnerability in another WordPress plugin known as WP Super Cache, which is used to cache pages of a WordPress site. This vulnerability could’ve been exploited by hackers to upload and execute malicious code on a targeted site in order to seize control.

  Related Resource

  Managing security risk and compliance in a challenging landscape

  How key technology partners grow with your organisation

  How to manage security risk and compliance - whitepaperHow to manage security risk and compliance - whitepaperDownload now

  Cisco has identified and patched a highly-rated vulnerability in a handful of its small business router products.

  This remote code execution and denial of service (DOS) vulnerability, tracked as CVE-2021-1287, was embedded in the web-based management interface for Cisco RV132W ADSL2+ Wireless-N VPN routers and RV134W VDSL2 Wireless-AC VPN routers. Remote hackers could have exploited the flaw to execute code on an affected device or cause it to restart unexpectedly.

  The now-patched management interface was unable to properly validate user input in its previous build. An attacker may have exploited this by sending crafted HTTP requests to an affected device, with successful attacks allowing them to execute code as the root user on the operating system, or cause the device to reload. This would lead to the router being locked in a DOS state.

  hackingcyber attacksvulnerabilityexploitsShare on FacebookShare on TwitterShare on LinkedInShare via EmailFeatured Resources

  Consumer choice and the payment experience

  A software provider’s guide to getting, growing, and keeping customers

  Download now

  Prevent fraud and phishing attacks with DMARC

  How to use domain-based message authentication, reporting, and conformance for email security

  Download now

  Business in the new economy landscape

  How we coped with 2020 and looking ahead to a brighter 2021

  Download now

  How to increase cyber resilience within your organisation

  Cyber resilience for dummies

  Download now