Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2023-47757: WordPress AWeber plugin <= 7.3.9 - Broken Access Control vulnerability - Patchstack

Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in AWeber AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth allows Accessing Functionality Not Properly Constrained by ACLs, Cross-Site Request Forgery.This issue affects AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth: from n/a through 7.3.9.

CVE
#csrf#vulnerability#web#wordpress#perl#auth
CVE-2023-47675: CubeCart 6.5.3 Released - Security Update

CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.

CVE-2023-47687: WordPress Woo Custom and Sequential Order Number plugin <= 2.6.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in VJInfotech Woo Custom and Sequential Order Number plugin <= 2.6.0 versions.

CVE-2023-47686: WordPress Arigato Autoresponder and Newsletter plugin <= 2.7.2.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Kiboko Labs Arigato Autoresponder and Newsletter plugin <= 2.7.2.2 versions.

CVE-2023-47688: WordPress Youtube SpeedLoad plugin <= 0.6.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Alexufo Youtube SpeedLoad plugin <= 0.6.3 versions.

CVE-2023-43275: dedecms/v5.7_110-CSRF.md at main · thedarknessdied/dedecms

Cross-Site Request Forgery (CSRF) vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalog_add.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form.

CVE-2023-47637: SQL Injection in Admin Grid Filter API through Multiselect::getFilterConditionExt()

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

GHSA-72hh-xf79-429p: Pimcore SQL Injection in Admin Grid Filter API through Multiselect::getFilterConditionExt()

### Summary User input passed directly into an SQL statement allows (non-admin) backend users to execute arbitrary SQL statements. ### Details The `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for at https://github.com/pimcore/admin-ui-classic-bundle/blob/bba7c7419cb1f06d5fd98781eab4d6995e4e5dca/src/Helper/GridHelperService.php#L311, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value: https://github.com/pimcore/pimcore/blob/42b6cfa77c4540205bdd10689893ccb73e4bac8f/models/DataObject/ClassDefinition/Data/Multiselect.php#L285-L312 ### PoC * Set up an example project as described on https://pimcore.com/docs/platform/Pimcore/Getting_Started/Installation/Docker_Based_Installation (demo package with example content) * Enter the backend and add a new user without admin privileges, but the "Objec...

CVE-2023-47550: WordPress Donations Made Easy – Smart Donations plugin <= 4.0.12 - Cross Site Scripting (XSS) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in RedNao Donations Made Easy – Smart Donations allows Stored XSS.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.