Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-35041: WordPress Web Push Notifications – Webpushr plugin <= 4.34.0 - CSRF Leading to LFI vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability leading to Local File Inclusion (LF) in Webpushr Web Push Notifications Web Push Notifications – Webpushr plugin <= 4.34.0 versions.

CVE
Open in Source
#csrf#vulnerability#web#wordpress#auth
CVE-2023-31219: WordPress Download Monitor plugin <= 4.8.1 - Server Side Request Forgery (SSRF) vulnerability - Patchstack

Server-Side Request Forgery (SSRF) vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.1.

CVE-2023-34013: WordPress Poll Maker plugin <= 4.6.2 - Server Side Request Forgery (SSRF) vulnerability - Patchstack

Server-Side Request Forgery (SSRF) vulnerability in Poll Maker Team Poll Maker – Best WordPress Poll Plugin.This issue affects Poll Maker – Best WordPress Poll Plugin: from n/a through 4.6.2.

CVE-2023-38364

IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260821.

CVE-2023-26543: WordPress WP Meteor Page Speed Optimization Topping plugin <= 3.1.4 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Aleksandr Guidrevitch WP Meteor Website Speed Optimization Addon plugin <= 3.1.4 versions.

Chess.com Faces Second Data Leak: 476,000 Scraped User Records Leaked

By Waqas The most recent data leak of Chess.com user records occurred on Friday, November 10th, 2023. This is a post from HackRead.com Read the original post: Chess.com Faces Second Data Leak: 476,000 Scraped User Records Leaked

GHSA-72hg-5wr5-rmfc: Statamic CMS remote code execution via front-end form uploads

### Impact On front-end forms with an asset upload field, PHP files crafted to look like images may be uploaded regardless of mime validation rules. This only affects forms using the "Forms" feature and not just _any_ arbitrary form. This does not affect the control panel. ### Patches It has been patched in 3.4.13 and 4.33.0.

GHSA-72x2-5c85-6wmr: Symfony potential Cross-site Scripting in WebhookController

### Description The error message in WebhookController returns unescaped user-submitted input. ### Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962) for branch 6.3. ### Credits We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix.