Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

GHSA-v6x6-4v4x-2fx9: Lunary Cross-Site Request Forgery (CSRF) vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks.

ghsa
Open in Source
#csrf#vulnerability#mac#git#auth
SPIP BigUp 4.3.1 / 4.2.15 / 4.1.17 Unauthenticated Remote Code Execution

This Metasploit module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. This critical vulnerability affects all versions of SPIP from 4.0 up to and including 4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code remotely via the public interface. The vulnerability has been patched in versions 4.3.2, 4.2.16, and 4.1.18.

3DSecure 2.0 3DS Authorization Method Cross Site Request Forgery

A cross site request forgery vulnerability was identified in the Authorization Method of 3DSecure version 2.0, allowing attackers to submit unauthorized form data by modifying the HTTP Origin and Referer headers.

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Request Forgery

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a cross site request forgery vulnerability.