Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

CVE-2023-26213: OS Command Injectionin Barracuda CloudGen WAN

On Barracuda CloudGen WAN Private Edge Gateway devices before 8 webui-sdwan-1089-8.3.1-174141891, an OS command injection vulnerability exists in /ajax/update_certificate - a crafted HTTP request allows an authenticated attacker to execute arbitrary commands. For example, a name field can contain :password and a password field can contain shell metacharacters.

CVE
Open in Source
#sql#csrf#vulnerability#web#microsoft#js#php#auth#ssl
Barracuda CloudGen WAN OS Command Injection

Barracuda CloudGen WAN provides a private edge appliance for hybrid deployments. An authenticated user in the administration interface for the private edge virtual appliance can inject arbitrary OS commands via the /ajax/update_certificate endpoint. Versions prior to v8.* hotfix 1089 are affected.

CVE-2023-26477: XWIKI-19757: Improved translation macro parameters escaping in Flamin… · xwiki/xwiki-platform@ea2e615

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

CVE-2022-47148: WordPress PDF Invoices & Packing Slips for WooCommerce plugin <= 3.2.5 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WP Overnight PDF Invoices & Packing Slips for WooCommerce plugin <= 3.2.5 leading to popup dismiss.

CVE-2022-46805: WordPress Conditional Payments for WooCommerce plugin <= 2.3.1 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Lauri Karisola / WP Trio Conditional Shipping for WooCommerce plugin <= 2.3.1 leading to activation/deactivation of plugin rulesets.

CVE-2022-46806: WordPress Cart All In One For WooCommerce plugin <= 1.1.10 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Cart All In One For WooCommerce plugin <= 1.1.10 leading to cart modification.

CVE-2022-46798: WordPress WooLentor plugin <= 2.5.1 - CSRF Leading to Plugin Settings Change Vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in HasThemes ShopLentor plugin <= 2.5.1 leading to plugin settings change.

CVE-2022-46797: WordPress Actionable Google Analytics and Google Shopping plugin for WooCommerce plugin <= 5.2.3 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Conversios All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce plugin <= 5.2.3 leads to plugin settings change.

CVE-2022-45804: WordPress Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.9 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.9 leading to galleries hierarchy change, included plugin deactivate & activate.

CVE-2022-45068: WordPress Mercado Pago payments for WooCommerce plugin <= 6.3.1 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Mercado Pago Mercado Pago payments for WooCommerce plugin <= 6.3.1.