Weekly threat roundup: Froala, WordPress, Siemens

Pulling together the most dangerous and pressing flaws that businesses need to patch

Patch management is far easier said than done, and security teams may often be forced into prioritising fixes for several business-critical systems, all released at once. It's become typical, for example, to expect dozens of patches to be released on Microsoft's Patch Tuesday, with other vendors also routinely getting in on the act.

Below, IT Pro has collated the most pressing disclosures from the last seven days, including details such as a summary of the exploit mechanism, and whether the vulnerability is being exploited in the wild. This is in order to give teams a sense of which bugs and flaws might pose the most dangerous immediate security risks.

XSS flaw found in Froala web editor

Bishop Fox researcher Chris Davis has uncovered a cross-site scripting (XSS) vulnerability in the Froala website editor used to build roughly 30,000. 

Tracked as CVE-2021-28114, the vulnerability affects Foala versions 3.2.5 and earlier and is embedded in its HTML sanitisation parsing protocol, which allows attackers to bypass existing XSS protections. This is a high-risk flaw and can be triggered remotely. 

Fraola is a what-you-see-is-what-you-get (WYSIWYG) HTML rich-text editor that's used in third-party sites to provide text editing functionality, including HTML text. The latest version of the application was released on 18 May this year and includes a patch for the flaw.

Critical zero-day found in WordPress plugin

A critical file upload vulnerability in the Fancy Product Designer WordPress plugin has been actively exploited by cyber criminals, according to researchers with Wordfence. 

The flaw, tracked as CVE-2021-24370, is rated 9.8 on the CVSS threat severity scale and has been disclosed publicly with minimal details due to the fact it's under active exploitation. Hackers have been abusing the flaw in the plugin, which allows users to upload images and PDF files that can be added to listed products on their sites. 

The flaw is possible to exploit in some configurations even if the plugin has been deactivated. All users, therefore, were initially urged to uninstall Fancy Product Designer until a patched version was made available, although this has now been released. 

Siemens fixes series of automation products 

Siemens has released patches for a critical memory protection flaw embedded in a set of automation products, which hackers could exploit to run arbitrary code to access memory.

The vulnerability, tagged CVE-2020-15782, is highly critical and affects seven products across Siemens' automation product series SIMATIC S7-1200 and S7-1500 CPU. These appliances are conventionally used to control applications and tasks for medium and complex mechanical engineering and factory plant buildings. 

Hackers could exploit these flaws to remotely obtain read-write memory access, which can allow them to read data, as well as use this as a springboard to launch further attacks. 

Siemens has strongly advised that operators enable password protection for S8 communication and configure additional access protections. They should also block remote client connections, prevent physical access to critical components, and ensure the vulnerable systems aren't connected to untrusted networks. 

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
IBM reports biggest sales growth in ten years
hybrid cloud

IBM reports biggest sales growth in ten years

25 Jan 2022