Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

Student Management System 1.0 Insecure Cookie Handling

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

Packet Storm
#sql#xss#csrf#vulnerability#web#ios#mac#windows#apple#google#ubuntu#linux#debian#cisco#java#php#perl#auth#ruby#firefox
Simple Responsive Tourism Website 1.0 Cross Site Request Forgery

Simple Responsive Tourism Website version 1.0 suffers from a cross site request forgery vulnerability.

Simple Music Management System 1.0 Add Administrator / Cross Site Request Forgery

Simple Music Management System version 1.0 suffers from add administrator and cross site request forgery vulnerabilities.

Advantech ADAM-5630

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Advantech Equipment: ADAM-5630 Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user's session, perform cross-site request forgery, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Advantech's ADAM are affected: Advantech ADAM-5630: versions prior to v2.5.2 3.2 Vulnerability Overview 3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539 Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user. CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been ...

GHSA-79gp-q4wv-33fr: Cross-Site Request Forgery (CSRF) in strawberry-graphql

### Impact Multipart file upload support as defined in the [GraphQL multipart request specification](https://github.com/jaydenseric/graphql-multipart-request-spec) was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to CSRF attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. ### Patches Version `v0.243.0` is the first `strawberry-graphql` including a patch. Check out our [documentation](https://strawberry.rocks/docs/breaking-changes/0.243.0) for additional details and upgrade instructions. ### References - [Strawberry upgrade guide](https://strawberry.rocks/docs/breaking-changes/0.243.0) - [Multipart Upload Secur...

PHP ACRSS 1.0 Cross Site Request Forgery

PHP ACRSS version 1.0 suffers from a cross site request forgery vulnerability.

PHP SPM 1.0 Cross Site Request Forgery

PHP SPM version 1.0 suffers from a cross site request forgery vulnerability.