Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

MOVEit SQL Injection

This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.

Packet Storm
Open in Source
#sql#csrf#vulnerability#web#windows#microsoft#js#git#auth#sap#asp.net#ssl
GHSA-phwm-87rg-27qq: XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

### Impact It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. ### Patches The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6. ### Workarounds There's no workaround for this other than upgrading XWiki. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-20339 * Commit containing the fix: https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-rwcp-qrwg-56cg: Casdoor Cross-Site Request Forgery vulnerability

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint `/api/set-password`. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

CVE-2023-34028: WordPress WOLF plugin <= 1.0.7 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.7 versions.

CVE-2023-34927: Casdoor Vulnerability

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

CVE-2023-32960: WordPress UpdraftPlus plugin <= 1.23.3 - CSRF lead to wp-admin Site Wide XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS).

CVE-2023-33725: Burptrast/docs/CVE-2023-33725 at main · Contrast-Security-OSS/Burptrast

Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA.