Cross-Site Request Forgery (CSRF) vulnerability in euPago Eupago Gateway For Woocommerce plugin <= 3.1.9 versions.

**Solution**

 Fixed

Update the WordPress Eupago Gateway For Woocommerce plugin to the latest available version (at least 3.1.10).

Skalucy discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Eupago Gateway For Woocommerce Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 3.1.10.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45638: WordPress Eupago Gateway For Woocommerce plugin <= 3.1.9 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.



					


				


			


		


	


2023-10-16 10:38 (CEST) VDE-2023-043  

**Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual**  
Share: Email | Twitter  

**Published**

2023-10-16 10:38 (CEST)

**Last update**

2023-10-16 10:38 (CEST)

**Vendor(s)**

Helmholz GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

myREX24

<= 2.14.2

myREX24.virtual

<= 2.14.2

**CVE ID**

**Last Update:**

Oct. 16, 2023, 10:59 a.m.

**Severity**

**Weakness**

Improper Privilege Management  (CWE-269) 

**Summary**

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

**Details**

**Solution**

Update to latest Version 2.14.3

**Reported by**

OTORIO reported the vulnerabilities to Red Lion Europe.

Red Lion Europe reported the vulnerabilities to Helmholz.

CERT@VDE coordinated.

CVE-2023-4834: VDE-2023-043 | CERT@VDE

The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators

CVE-2023-4620

Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade Comments Ratings plugin <= 1.1.7 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Comments Ratings Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45654: WordPress Comments Ratings plugin <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Kevin Weber Lazy Load for Videos plugin <= 2.18.2 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Lazy Load for Videos Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45656: WordPress Lazy Load for Videos plugin <= 2.18.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, 

some sensitive params  checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile"....

.  

Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/8604 



**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-43668

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. 


%PDF-1.7 %���� 1 0 obj <> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 49 0 R 53 0 R 54 0 R 57 0 R 72 0 R 75 0 R 76 0 R 77 0 R 78 0 R 79 0 R\] /MediaBox\[ 0 0 595.32 841.92\] /Contents 6 0 R/Group<>/Tabs/S>> endobj 4 0 obj <> stream ����JFIF����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222����"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?��(�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� )��Ā����S�&��QE0 (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (����݋Kb��xQ�VY�)bpɮ\[P�7w%��^W��c~�GO��ta��I�&�|��D�Ĥ��ϯ�t����G��b�����W����7������PӞ&�Q\_Ny�EPEPEPEPEPEPEP\\��:�4�nn�k���� �0V\`>�g��WO}{o��O{w\*�o$�� ��|e���x��W����~��#�,���<��h��ᥬ��\[������������5�?L\_�^\\�n$7���s�{��5�����9�aKo��� x����t-b�K����\\��cu7#���z��5�� ��(�\[a����(��\_��}����ᥬ��\[������֟��h-+Y׬��&\[�\\G���2�=21�8�|�J "�>�����ߎ?�.����T���|��q����������MF��o��mk��s������������|��&�>>���GS\_ �K�\[6�x�xy{/���j�\*�#�Z������ �Mz'��I��>�P\]"\[X���� �|q�q��ɞ��犼Eg�د�n��5�&>�f����k?h��M�{-�����'ܞh�|U�����'��\_C�v��!�g �zc���� -e�B�����+���%S���?��.�>��s�"�Q�-�%�،\`�>�۽�5�W�������O�������Z�Kq<�8bB�;tU$�Y����y(�nwv�Q�My������4� ����q���f�b�3^#�3�u���9-�� '���������h�9�ih�~��NW?�v�Z��\]��X���W��@�� .��,���+�<9��o�oN���'��7��v܌�=��Z�\_����o�ׄ\_� I�x�=\*I#�#o%�'�ge�6o��\*�3�A�$dR�)�S�8dH��XC4��~�r���i9���K%��:���Rk^�2��

CVE-2023-21415

%PDF-1.7 %���� 1 0 obj <> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/Annots\[ 37 0 R 41 0 R 42 0 R 45 0 R 65 0 R 68 0 R 69 0 R 70 0 R 71 0 R 72 0 R\] /MediaBox\[ 0 0 595.32 841.92\] /Contents 6 0 R/Group<>/Tabs/S>> endobj 4 0 obj <> stream ����JFIF����C    $.' ",#(7),01444'9=82<.342��C  2!!22222222222222222222222222222222222222222222222222����"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?��(�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� )��Ā����S�&��QE0 (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (�� (����݋Kb��xQ�VY�)bpɮ\[P�7w%��^W��c~�GO��ta��I�&�|��D�Ĥ��ϯ�t����G��b�����W����7������PӞ&�Q\_Ny�EPEPEPEPEPEPEP\\��:�4�nn�k���� �0V\`>�g��WO}{o��O{w\*�o$�� ��|e���x��W����~��#�,���<��h��ᥬ��\[������������5�?L\_�^\\�n$7���s�{��5�����9�aKo��� x����t-b�K����\\��cu7#���z��5�� ��(�\[a����(��\_��}����ᥬ��\[������֟��h-+Y׬��&\[�\\G���2�=21�8�|�J "�>�����ߎ?�.����T���|��q����������MF��o��mk��s������������|��&�>>���GS\_ �K�\[6�x�xy{/���j�\*�#�Z������ �Mz'��I��>�P\]"\[X���� �|q�q��ɞ��犼Eg�د�n��5�&>�f����k?h��M�{-�����'ܞh�|U�����'��\_C�v��!�g �zc���� -e�B�����+���%S���?��.�>��s�"�Q�-�%�،\`�>�۽�5�W�������O�������Z�Kq<�8bB�;tU$�Y����y(�nwv�Q�My������4� ����q���f�b�3^#�3�u���9-�� '���������h�9�ih�~��NW?�v�Z��\]��X���W��@�� .��,���+�<9��o�oN���'��7��v܌�=��Z�\_����o�ׄ\_� I�x�=\*I#�#o%�'�ge�6o��\*�3�A�$dR�)�S�8dH��XC4��~�r���i9���K%��:���Rk^�2��

SaaS security is broad, possibly confusing, but undeniably crucial. Make sure you have the basics in place: discovery, risk assessment, and user access management.

In today's fast-paced business world, software-as-a-service (SaaS) applications have transformed how we work. They offer unprecedented flexibility, collaboration, and efficiency, making them the go-to solution for most organizations. From project management to customer relationship management and file storage, SaaS applications touch nearly every aspect of daily business operations. With sensitive data and critical business processes housed in these platforms, the need for robust SaaS security has never been more pressing and clear.

SaaS security is multifaceted, covering many types of risks with tools offered by diverse vendors. SaaS security typically falls within SaaS security posture management (SSPM). While modern SSPM solutions provide automation and in-product remediation, they might be somewhat overwhelming at first, especially for smaller organizations that don't have large budgets or don't know where to start or what to prioritize.

During a career spanning two decades in the Israeli military serving various cyber-related roles, I learned the importance of breaking down large challenges into smaller pieces. Tackling a large problem starts with identifying the basic requirements. In this article, I will lay out three must-have SaaS security essentials that any organization can implement, regardless of budget or headcount. These are three steps you can introduce into your organization today.

**Step 1: Discover Your SaaS Usage**

After serving hundreds of SaaS-using companies, it is clear to me that most organizations have a serious SaaS shadow-IT problem. In fact, the average employee uses 28 SaaS applications at any given time. When you think about it, it makes sense: Most employees, when encountering a specific business need, will look up a fast and easy solution online. That solution is often a SaaS tool that requires permissions into the employee's work environment. Onboarding these SaaS applications often goes completely unnoticed by security and IT teams. So, before you can secure your SaaS environment, you must first have full visibility into every employee's SaaS usage, all the time.

**Step 2: Perform Risk Assessments on Each SaaS Application**

Now that you have a clear picture of your SaaS landscape, it's time to evaluate the security risks associated with each application. Not all SaaS applications are created equal, and some may pose a higher risk to your organization's data and operations. We should always be cautious as to where we keep or share sensitive data and who we trust with our most critical assets. There are several critical considerations for determining whether an application is risky or not. Here are a few:

*   The SaaS vendor's security and privacy compliances.
*   The SaaS vendor's size and location.
*   The SaaS app's marketplace presence: Has it been validated by others?
*   Is it a private or public company? Does it share its security status publicly?

This type of analysis is crucial not only for maintaining SaaS security; it is a significant factor in companies' vendor risk-assessment processes. SaaS is a third-party vendor, and assessment is part of how you manage a vendor's risk. Organizations cannot afford to turn a blind eye to their third-party risks of any size.

**Step 3: Ensure Users Have Only Necessary Permissions and Roles**

The third essential step is managing user permissions. Often, security breaches occur due to excessive permissions granted to users or that the users grant to certain applications. To mitigate this risk, follow these best practices:

*   **Least-privilege principle:** This means granting users only the permissions they absolutely need to perform their tasks. Avoid granting broad, blanket permissions that can lead to data exposure or unauthorized actions.
*   **Regular permission reviews:** Establish a process for regularly reviewing and updating user permissions and roles. This is especially true for your core business applications. Employees' roles and responsibilities can change over time, and permissions should be adjusted accordingly.
*   **Start with the admins:** Assessing all your employees and their roles and permissions across dozens of apps can be daunting and time consuming. I've learned that focusing on various admin roles and auto-approving low-permissions roles is a huge time saver.

**Why These Three?**

There are many ways to implement SaaS security practices. Some organizations prefer looking at sensitive files shared between these applications; others start with irregular user behaviors to tackle insider risks. These are all valid, and robust SSPM tools offer these capabilities. But for smaller organizations with tighter budgets or those that prefer to start small then expand, I firmly believe these three principles are the way to go. These are required by major compliance standards such as ISO 27001 and SOC 2 and fall under basic vendor risk-assessment and user-management requirements.

**Embrace SaaS Without Compromising Security**

By enforcing these three steps, you can make significant strides in protecting your digital workspace. Remember that security is an ongoing process, and continuous monitoring and adaptation are key to staying ahead of evolving threats in the SaaS landscape. By prioritizing security, you can ensure employees are free to fully embrace the advantages of SaaS while always keeping your organization safe from SaaS potential harm.

**About the Author**

    

A retired colonel from the elite 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing, and deploying some of the Israeli Defense Forces' most vital defensive and offensive cyber platforms as well as leading large and strategic operations. She was an integral part of developing the IDF's first cyber capabilities and continued improving and enhancing these capabilities throughout her career. She is the recipient of numerous accolades, including the prestigious Israeli Defense Award.

3 Essential Steps to Strengthen SaaS Security

The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Tag

#auth