After observing attacks on customers , Cisco is telling users to i nstall Vulnerability-related.PatchVulnerability the fix for a recently disclosed denial-of-service flaw a ffecting Vulnerability-related.DiscoverVulnerability a number of its security appliances . The flaw , t racked as Vulnerability-related.DiscoverVulnerability CVE-2018-0296 , was detailed in an advisory on June 6 and a ffects Vulnerability-related.DiscoverVulnerability Cisco ASA Software and Cisco Firepower Threat Defense ( FTD ) Software . `` Cisco strongly recommends that customers u pgrade Vulnerability-related.PatchVulnerability to a fixed software release to r emediate Vulnerability-related.PatchVulnerability this issue , '' Omar Santos of Cisco 's Product Security Incident Response Team w arned Vulnerability-related.DiscoverVulnerability on June 22 . The attacks follow the publication of proof-of-concept exploits for the flaw . Santos n otes Vulnerability-related.DiscoverVulnerability that a unauthenticated , remote attacker could cause a device to reload unexpectedly and cause a denial-of-service ( DoS ) condition . Additionally , an exploit could cause a DoS or unauthenticated disclosure of information . However , Santos said : `` Only a denial-of-service condition ( device reload ) has been observed by Cisco . '' Cisco h as also updated Vulnerability-related.PatchVulnerability the advisory for CVE-2018-0296 with details about the attacks . The researcher who f ound Vulnerability-related.DiscoverVulnerability the flaw , Michał Bentkowski from Polish security firm Securitum , gave a brief description of the root cause in a tweet shortly after Cisco d isclosed Vulnerability-related.DiscoverVulnerability the bug . Bentkowsky r eported Vulnerability-related.DiscoverVulnerability the issue to Cisco as a way to use directory-traversal techniques to disclose information to an unauthenticated attacker . Cisco labeled its primary impact as a DoS condition , but said it is possible that on certain releases of ASA a device reload would not occur , yet still allow an attacker to use directory-traversal techniques to view sensitive system information . Bleeping Computer i dentified Vulnerability-related.DiscoverVulnerability two proof-of-concept exploits for CVE-2018-0296 on GitHub . One attempts to e xtract Attack.Databreach user names from Cisco ASA . The other states : `` If the web server is vulnerable , the script will dump in a text file both the content of the current directory , files in +CSCOE+ and active sessions . ''

WordPress 5.0 users are being urged to u pdate Vulnerability-related.PatchVulnerability their CMS software to f ix Vulnerability-related.PatchVulnerability a number of serious bugs . The update ( WordPress 5.0.1 ) a ddresses Vulnerability-related.PatchVulnerability seven flaws and w as issued Vulnerability-related.PatchVulnerability Thursday , less than a week after WordPress 5.0 w as released. Vulnerability-related.PatchVulnerability The most serious of the flaws is a bug that allows the WordPress “ user activation screen ” to be indexed by Google and other search engines , leading to the possible public exposure of WordPress usernames and passwords . “ The user activation screen could be indexed by search engines in some uncommon configurations , leading to exposure of email addresses , and in some rare cases , default generated passwords , ” wrote security firm Wordfence in a blog post outlining the flaws . Wordfence s aid Vulnerability-related.DiscoverVulnerability all WordPress users running versions of the 4.x branch of WordPress core a re also impacted Vulnerability-related.DiscoverVulnerability by similar issues . It urges those 4.x users , not ready to update to the 5.0 branch , to i nstall Vulnerability-related.PatchVulnerability the WordPress 4.9.9 security update ( also r eleased Vulnerability-related.PatchVulnerability this week ) , which a ddresses Vulnerability-related.PatchVulnerability similar bugs . Three of the bugs f ixed Vulnerability-related.PatchVulnerability with the release of WordPress 5.0.1 are cross-site scripting ( XSS ) vulnerabilities . Two of the XSS bugs could allow for an adversary to launch a privilege escalation attack . “ Contributors could edit new [ WordPress web-based ] comments from higher-privileged users , potentially leading to a cross-site scripting vulnerability , ” Wordfence wrote . “ This is another vulnerability that requires a higher-level user role , making the likelihood of widespread exploitation quite low . WordPress a ddressed Vulnerability-related.PatchVulnerability this issue by removing the < form > tag from their HTML whitelist. ” WordPress plugins a re potentially impacted Vulnerability-related.DiscoverVulnerability by a third XSS bug that opens up sites to attacks launched by adversaries who send specially crafted URLs to affected sites . According to researchers , the bug d oesn’t impact Vulnerability-related.DiscoverVulnerability WordPress 5.0 directly , rather the “ wpmu_admin_do_redirect ” function used by some WordPress plugins . “ Specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances , ” they said . A PHP ( Hypertext Preprocessor ) bug w as also identified Vulnerability-related.DiscoverVulnerability by WordPress . This bug is more technical in nature and w as found Vulnerability-related.DiscoverVulnerability by Sam Thomas , of Secarma Labs , who p ublicly disclosed Vulnerability-related.DiscoverVulnerability it at the 2018 Black Hat conference . “ This vulnerability allows an author to assign an arbitrary file path to an attachment . The file path supplied by the author uses the phar : // stream wrapper on a previously uploaded attachment which leads to object injection utilizing a “ feature ” of the PHAR file type which stores serialized objects in the metadata of the PHAR file , ” wrote Wordfence . WordPress is also warning users of a unauthorized file deletion bug and an unauthorized post creation bug .