Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

GHSA-fmxq-v8mg-qh25: apollo-portal has potential CSRF issue

### Impact A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. ### Patches Cookie SameSite strategy was set to Lax in #4664 and was released in [v2.1.0](https://github.com/apolloconfig/apollo/releases/tag/v2.1.0). ### Workarounds To fix the potential issue without upgrading, simply follow the advice that does not visit unknown source pages. ### References [Apollo Security Guidence](https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related) ### For more information If you have any questions or comments about this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [apollo-config@googlegroups.com](mailto:apollo-config@googlegroups.com)

ghsa
Open in Source
#csrf#vulnerability#web#google#git#java#auth#maven
CVE-2022-4386

The Intuitive Custom Post Order WordPress plugin before 3.1.4 lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack

CVE-2021-32852: countly-server/reset.html at 6b90bb775e747cabe46fe197c6a6989acc6c3417 · Countly/countly-server

Countly, a product analytics solution, is vulnerable to cross-site scripting prior to version 21.11 of the community edition. The victim must follow a malicious link or be redirected there from malicious web site. The attacker must have an account or be able to create one. This issue is patched in version 21.11.

CVE-2022-48320: Fix CSRF in add-visual endpoint

Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.

CVE-2023-25569: Potential csrf issue in apollo-portal

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.

Massive GoAnywhere RCE Exploit: Everything You Need to Know

Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.

Demanzo Matrimony 1.5 Cross Site Request Forgery

Demanzo Matrimony version 1.5 suffers from a cross site request forgery vulnerability.

CVE-2023-24388: WordPress Booking calendar, Appointment Booking System plugin <= 3.2.3 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete).

CVE-2021-33396: There is a CSRF vulnerability · Issue #7 · baijiacms/baijiacmsV4

Cross Site Request Forgery (CSRF) vulnerability in baijiacms 4.1.4, allows attackers to change the password or other information of an arbitrary account via index.php.