Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-31235: WordPress Participants Database plugin <= 2.4.9 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau webdesign Participants Database plugin <= 2.4.9 versions.

CVE
Open in Source
#csrf#vulnerability#web#wordpress#auth
Here’s How Violent Extremists Are Exploiting Generative AI Tools

Experts are finding thousands of examples of AI-created content every week that could allow terrorist groups and other violent extremists to bypass automated detection systems.

CVE-2023-5996: Chromium: CVE-2023-5996 Use after free in WebAudio

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2023-32512: WordPress ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin <= 3.7.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in ShortPixel ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin <= 3.7.1 versions.

GHSA-2rmr-xw8m-22q9: Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint

### Impact An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to the user. This could open door for other attack vectors: * client-side vulnerabilities: XSS/CSRF in the context of the trusted domain; * interaction with internal network; * read cloud metadata endpoints (AWS, Azure, Google Cloud, etc.); * local/remote port scan. This issue only affects users who have [Next.js SDK tunneling feature](https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#configure-tunneling-to-avoid-ad-blockers) enabled. ### Patches The problem has been fixed in [sentry/[email protected]](https://www.npmjs.com/package/@sentry/nextjs/v/7.77.0) ### Workarounds Disable tunneling by removing the `tunnelRoute` option from Sentry Next.js SDK config — `next.config.js` or `next.config.mjs`. ### References * [Sentry Next.js tunneling feature](https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/#confi...

Omegle Was Forced to Shut Down by a Lawsuit From a Sexual Abuse Survivor

Omegle connected strangers to one another and had a long-standing problem of pairing minors with sexual predators. A legal settlement took it down.

GHSA-5cvx-cwpx-9rjh: Moodle Code Injection vulnerability

In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution.

GHSA-fm5h-58g2-4m3f: Moodle Improper Access Control vulnerability

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.

CVE-2023-32739: WordPress WP Custom Cursors plugin < 3.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Web_Trendy WP Custom Cursors | WordPress Cursor Plugin plugin < 3.2 versions.

CVE-2023-5549: Official Moodle git projects - moodle.git/search

Insufficient web service capability checks made it possible to move categories a user had permission to manage, to a parent category they did not have the capability to manage.