#web

PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Use after free in WebAudio in Google Chrome prior to 119.0.6045.123 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Muneeb Layer Slider plugin <= 1.1.9.7 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web-Settler Social Feed | All social media in one place plugin <= 1.5.4.6 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Map Plugins Basic Interactive World Map plugin <= 2.0 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Apollo13Themes Apollo13 Framework Extensions plugin <= 1.9.0 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Bainternet ShortCodes UI plugin <= 1.9.8 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Post Sliders & Post Grids plugin <= 1.0.20 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Vyas Dipen Top 25 Social Icons plugin <= 3.1 versions.