Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2023-3304: IDOR in message deletion in admidio

Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9.

CVE
Open in Source
#csrf#vulnerability#web#mac#windows#apple#js#git#php#auth#chrome#webkit
GHSA-phwm-87rg-27qq: XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

### Impact It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. ### Patches The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6. ### Workarounds There's no workaround for this other than upgrading XWiki. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-20339 * Commit containing the fix: https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

GHSA-rwcp-qrwg-56cg: Casdoor Cross-Site Request Forgery vulnerability

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint `/api/set-password`. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

CVE-2023-34028: WordPress WOLF plugin <= 1.0.7 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.7 versions.

CVE-2023-34927: Casdoor Vulnerability

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

CVE-2023-32960: WordPress UpdraftPlus plugin <= 1.23.3 - CSRF lead to wp-admin Site Wide XSS vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in UpdraftPlus.Com, DavidAnderson UpdraftPlus WordPress Backup Plugin <= 1.23.3 versions leads to sitewide Cross-Site Scripting (XSS).

CVE-2023-33725: Burptrast/docs/CVE-2023-33725 at main · Contrast-Security-OSS/Burptrast

Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA.

WordPress WP Sticky Social 1.0.1 CSRF / Cross Site Scripting

WordPress WP Sticky Social plugin version 1.0.1 suffers from cross site request forgery and cross site scripting vulnerabilities.