#csrf

On January 16, 2023, the Wordfence Threat Intelligence team responsibly disclosed several vulnerabilities in Quick Restaurant Menu, a WordPress plugin that allows users to set up restaurant menus on their sites. This plugin is vulnerable to missing authorization, insecure direct object reference, cross site request forgery as well as cross site scripting in versions up to, and including, 2.0.2.

Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0.

Differences in how the National Vulnerability Database (NVD) and vendors score bugs can make patch prioritization harder, study says.

Clockwork Web before 0.1.2, when used with Rails before 5.2 is used, allows Cross-Site Request Forgery (CSRF). A CSRF attack works by getting an authorized user to visit a malicious website and then performing requests on behalf of the user. In this instance, actions include enabling and disabling jobs. All users running an affected release on Rails < 5.2 should upgrade immediately.

Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.

An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.