Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-0832: under-construction.php in under-construction-page/trunk – WordPress Plugin Repository

The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE
Open in Source
#sql#web#ios#mac#apple#google#ubuntu#cisco#redis#js#java#wordpress#php#perl#auth#dell#chrome#sap#maven#ssl
CVE-2023-1016: Intuitive Custom Post Order <= 3.1.3 - Authenticated (Admin+) SQL Injection — Wordfence Intelligence

The Intuitive Custom Post Order plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.1.3, due to insufficient escaping on the user supplied 'objects' and 'tags' parameters and lack of sufficient preparation in the 'update_options' function as well as the 'refresh' function which runs queries on the same values. This allows authenticated attackers, with administrator permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note that this attack may only be practical on configurations where it is possible to bypass addslashes due to the database using a nonstandard character set such as GBK.

CVE-2023-34958: Security issues - Chamilo LMS

Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.

CVE-2023-34959: Security issues - Chamilo LMS

An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.

CVE-2023-34961: Security issues - Chamilo LMS

Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.

Now’s not the time to take our foot off the gas when it comes to fighting disinformation online

YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”

Expert Restaurant eCommerce 1.0 Cross Site Scripting

Expert Restaurant eCommerce version 1.0 suffers from a cross site scripting vulnerability.

Expert Restaurant eCommerce 1.0 SQL Injection

Expert Restaurant eCommerce version 1.0 suffers from a remote SQL injection vulnerability.

NETXPERTS CMS 0.1 SQL Injection

NETXPERTS CMS version 0.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Clop Ransomware Gang Likely Exploiting MOVEit Transfer Vulnerability Since 2021

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection