Security researchers have identified two vulnerabilities in the Joomla content management system that can be chained together for complete compromise of the
In Wake of Breaches, Accellion Faces at Least 14 Lawsuits
May 5, 2021
HealthInfoSec) • April 7, 2021 Get Permission
At least 14 lawsuits seeking class-action status have been filed against Accellion in the wake of breaches that exploited zero-day flaws in the vendor s 20-year-old File Transfer Appliance. A motion to consolidate the cases has also been filed.
Outdated Product
A lawsuit against Accellion and one of its clients, the supermarket chain Kroger, notes that key people within Accellion have acknowledged the need to leave the FTA platform behind due to the security concerns raised by it.
Accellion’s CMO, Joel York, confirmed that the company is encouraging its clients to discontinue use of FTA because it does not protect against modern data breaches, the lawsuit notes.
Get Permission
Some Accellion data breach victims have subsequently been extorted, with those not paying seeing their data publicly released by the Clop ransomware gang. This is that group s website.
Software company Accellion has released preliminary findings around the security incident that has stung some customers that used its 20-year-old File Transfer Appliance.
The company says that fewer than 100 customers have been attacked as the result of four now-patched vulnerabilities in the FTA, and that fewer than 25 appear to have suffered significant data theft, according to a news release on Monday.
Accellion s CMO, Joel York, tells ISMG that after the attackers found one vulnerability in the FTA in December, they kept looking and found others in January. (see:
Accellion: How Attackers Stole Data and Ransomed Companies bankinfosecurity.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from bankinfosecurity.com Daily Mail and Mail on Sunday newspapers.
BankInfoSecurity
May 5, 2021
Compliance
Compliance Twitter Get Permission
PayPal has patched a cross-site scripting - or XSS - vulnerability in its currency conversion endpoint that, if exploited, could enable malicious JavaScript injection.
The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne s bug bounty program.
Responding in the HackerOne forum, PayPal notes the vulnerability resulted in its currency conversion URL improperly handling user input. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim s browser. By loading a malicious payload into a victim s browser, hackers could steal data or take control of a device.