Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

CVE-2023-46210: WordPress WC Captcha plugin <= 1.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WebCource WC Captcha plugin <= 1.4 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
CVE-2023-43139: [CVE-2023-43139] Improper Neutralization of Special Elements used in an OS Command in the Franfinance module for PrestaShop

An issue in franfinance before v.2.0.27 allows a remote attacker to execute arbitrary code via the validation.php, and controllers/front/validation.php components.

CVE-2023-36263: [CVE-2023-36263] Improper neutralization of SQL parameter in Opart limit quantity for PrestaShop

Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

CVE-2023-46356: [CVE-2023-46356] Improper neutralization of SQL parameter in Bl Modules - CSV Feeds PRO module for PrestaShop

In the module "CSV Feeds PRO" (csvfeeds) before 2.6.1 from Bl Modules for PrestaShop, a guest can perform SQL injection. The method `SearchApiCsv::getProducts()` has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

CVE-2023-45378: [CVE-2023-45378] Improper neutralization of SQL parameter in PrestaBlog module for PrestaShop

In the module "PrestaBlog" (prestablog) version 4.4.7 and before from HDclic for PrestaShop, a guest can perform SQL injection. The script ajax slider_positions.php has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

CVE-2023-27846: [CVE-2023-27846] Improper neutralization of SQL parameter in tvcmsblog module by themevolty for PrestaShop

SQL injection vulnerability found in PrestaShop themevolty v.4.0.8 and before allow a remote attacker to gain privileges via the tvcmsblog, tvcmsvideotab, tvcmswishlist, tvcmsbrandlist, tvcmscategorychainslider, tvcmscategoryproduct, tvcmscategoryslider, tvcmspaymenticon, tvcmstestimonial components.

CVE-2023-45899: [CVE-2023-45899] Improper Access Control in the superuser module edited by idnovate for PrestaShop

An issue in the component SuperUserSetuserModuleFrontController:init() of idnovate superuser before v2.4.2 allows attackers to bypass authentication via a crafted HTTP call.

CVE-2023-5862

Missing Authorization in GitHub repository hamza417/inure prior to Build95.

CVE-2023-5861: update · microweber/microweber@6ed7ebf

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-46129: xkeys Seal encryption used fixed key for all encryption

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if usi...