Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-5544: Official Moodle git projects - moodle.git/search

Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.

CVE
Open in Source
#xss#git
CVE-2023-5546: Official Moodle git projects - moodle.git/search

ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.

CVE-2023-5542: Official Moodle git projects - moodle.git/search

Students in "Only see own membership" groups could see other students in the group, which should be hidden.

CVE-2023-39198: cve-details

A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.

CVE-2023-6053

A vulnerability, which was classified as critical, has been found in Tongda OA 2017 up to 11.9. Affected by this issue is some unknown functionality of the file general/system/censor_words/manage/delete.php. The manipulation of the argument DELETE_STR leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. VDB-244874 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-34182: WordPress LH Password Changer plugin <= 1.55 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Peter Shaw LH Password Changer plugin <= 1.55 versions.

CVE-2023-34371: WordPress SpamReferrerBlock plugin <= 2.22 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Didier Sampaolo SpamReferrerBlock plugin <= 2.22 versions.

CVE-2023-34178: WordPress Groundhogg plugin <= 2.7.11 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Groundhogg Inc. Groundhogg plugin <= 2.7.11 versions.

CVE-2023-6054

A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.9. This affects an unknown part of the file general/wiki/cp/manage/lock.php. The manipulation of the argument TERM_ID_STR leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-244875. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.