Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-25994: WordPress Publish to Schedule plugin <= 4.4.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Alex Benfica Publish to Schedule plugin <= 4.4.2 versions.

CVE
Open in Source
#csrf#vulnerability#wordpress#auth
CVE-2023-46743: The same file cannot be opened with different rights

application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the `userCanWrite` query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.

CVE-2023-46894: Cryptographic API Misuse Vulnerability: AES ECB used for initialization (ESPTOOL-756) · Issue #926 · espressif/esptool

An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.

CVE-2023-6039: cve-details

A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.

CVE-2023-47373: CVE-reports/DRAGON FAMILY.md at main · syz913/CVE-reports

The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47372: CVE-reports/UPDATESALON C-LOUNGE.md at main · syz913/CVE-reports

The leakage of channel access token in UPDATESALON C-LOUNGE Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47370: CVE-reports/bluetrick.md at main · syz913/CVE-reports

The leakage of channel access token in bluetrick Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47368: CVE-reports/taketorinoyu.md at main · syz913/CVE-reports

The leakage of channel access token in taketorinoyu Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-43791: Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.

CVE-2023-41138: 2023-11 security advisory

The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.