The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.

CVE-2022-1695

The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack

CVE-2022-1709

The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1712

The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack

CVE-2022-1421

The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.

CVE-2022-1422

The Ask me WordPress theme before 6.8.2 does not perform CSRF checks for any of its AJAX actions, allowing an attacker to trick logged in users to perform various actions on their behalf on the site.

CVE-2022-1424

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE-2022-23712: Security issues

### Impact

There is no known practical impact other than it is just possible to manipulate CSRF cookie and XSS the malicious user self.

### Patches

Invalid characters of CSRF tokens are stripped after reading cookie. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

### Workarounds

No need for workarounds.

### References

N/A

### For more information

If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6953.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-pj96-4jhv-v792

**Cross site scripting via cookies in gogs**

Low severity GitHub Reviewed Published Jun 2, 2022 in gogs/gogs • Updated Jun 2, 2022

**Package**

gomod gogs.io/gogs (Go )

**Affected versions**

< 0.12.8

**Description**

**Impact**

There is no known practical impact other than it is just possible to manipulate CSRF cookie and XSS the malicious user self.

**Patches**

Invalid characters of CSRF tokens are stripped after reading cookie. Users should upgrade to 0.12.8 or the latest 0.13.0+dev.

**Workarounds**

No need for workarounds.

**References**

N/A

**For more information**

If you have any questions or comments about this advisory, please post on gogs/gogs#6953.

**References**

*   GHSA-pj96-4jhv-v792
*   gogs/gogs#6953

**Weaknesses**

**GHSA ID**

GHSA-pj96-4jhv-v792

**Source code**

GHSA-pj96-4jhv-v792: Cross site scripting via cookies in gogs

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVE-2022-1982: Security Updates

Couchbase Server before 7.1.0 has Incorrect Access Control.

Tag

#csrf