#csrf

Categories: Exploits and vulnerabilities Categories: News Tags: Ruckus Tags: CISA Tags: AndoryuBot Tags: CVE-2023-25717 Tags: 163.123.142.146 CISA has added a Ruckus vulnerability being abused by the AndoryuBot botnet to its catalog. (Read more...) The post Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs appeared first on Malwarebytes Labs.

The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example

The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting Holidays, which could allow attackers to make logged in admins delete arbitrary holidays via a CSRF attack

The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting designations, which could allow attackers to make logged in admins delete arbitrary designations via a CSRF attack

The Clock In Portal- Staff & Attendance Management WordPress plugin through 2.1 does not have CSRF check when deleting Staff members, which could allow attackers to make logged in admins delete arbitrary Staff via a CSRF attack

The RapidExpCart WordPress plugin through 1.0 does not sanitize and escape the url parameter in the rapidexpcart endpoint before storing it and outputting it back in the page, leading to a Stored Cross-Site Scripting vulnerability which could be used against high-privilege users such as admin, furthermore lack of csrf protection means an attacker can trick a logged in admin to perform the attack by submitting a hidden form.

kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.

1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: BirdDog Equipment: STUDIO R3, 4K QUAD, MINI, A300 EYES Vulnerabilities: Cross-Site Request Forgery, Use of Hard-Coded Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to remotely execute code or obtain unauthorized access to the product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following BirdDog camera and encoder versions are affected: 4K QUAD:  Versions 4.5.181 and 4.5.196 MINI: Version 2.6.2 A300 EYES: Version 3.4 STUDIO R3: Version 3.6.4 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files. CVE-2023-2505 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N). 3.2.2 USE OF HARD-CODED CREDENTIALS...

Cross-Site Request Forgery (CSRF) vulnerability in Nickys Image Map Pro for WordPress - Interactive SVG Image Map Builder plugin < 5.6.9 versions.

Cross-site request forgery (CSRF) vulnerability in LIQUID SPEECH BALLOON versions prior to 1.2 allows a remote unauthenticated attacker to hijack the authentication of a user and to perform unintended operations by having a user view a malicious page.