Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2023-48331: WordPress MyBookTable Bookstore by Stormhill Media plugin <= 3.3.4 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Stormhill Media MyBookTable Bookstore by Stormhill Media allows Cross Site Request Forgery.This issue affects MyBookTable Bookstore by Stormhill Media: from n/a through 3.3.4.

CVE
#csrf#vulnerability#wordpress#auth
CVE-2023-48283: WordPress Simple Testimonials Showcase plugin <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Testimonials Showcase allows Cross Site Request Forgery.This issue affects Simple Testimonials Showcase: from n/a through 1.1.5.

CVE-2023-48330: WordPress Bulk Comment Remove plugin <= 2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Mike Strand Bulk Comment Remove allows Cross Site Request Forgery.This issue affects Bulk Comment Remove: from n/a through 2.

CVE-2023-6137: WordPress Frontier Post plugin <= 6.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in finnj Frontier Post allows Cross Site Request Forgery.This issue affects Frontier Post: from n/a through 6.1.

CVE-2023-48282: WordPress Taxonomy filter plugin <= 2.2.9 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Andrea Landonio Taxonomy filter allows Cross Site Request Forgery.This issue affects Taxonomy filter: from n/a through 2.2.9.

CVE-2023-49076: CSRF Leading to create a new customer

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.

GHSA-cv4x-9f34-8rp9: Jenkins MATLAB Plugin missing permission checks

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks. Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

GHSA-wpfc-r5qq-7r7p: Jenkins NeuVector Vulnerability Scanner Plugin Cross-Site Request Forgery vulnerability

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

GHSA-82q9-88m2-4v68: Jenkins MATLAB Plugin XML External Entity vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks. Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

GHSA-9f5g-rgcr-8grw: Jenkins MATLAB Plugin cross-site request forgery vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks. Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.