Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

GHSA-qchr-8m24-7v66: Drupal Google Tag Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Google Tag allows Cross Site Request Forgery. This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

ghsa
Open in Source
#csrf#vulnerability#web#google#auth
GHSA-jv6r-mj9p-9xff: Drupal General Data Protection Regulation Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal General Data Protection Regulation allows Cross Site Request Forgery. This issue affects General Data Protection Regulation: from 0.0.0 before 3.0.1, from 3.1.0 before 3.1.2.

GHSA-qq45-cqhg-jwx5: Drupal Configuration Split Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Configuration Split allows Cross Site Request Forgery. This issue affects Configuration Split: from 0.0.0 before 1.10.0, from 2.0.0 before 2.0.2.

GHSA-jh66-rjx8-8qqc: Drupal Matomo Analytics Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Matomo Analytics allows Cross Site Request Forgery. This issue affects Matomo Analytics: from 0.0.0 before 1.24.0.

GHSA-ccc9-jgj7-hxc7: Drupal Cache Utility Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery. This issue affects Cache Utility: from 0.0.0 before 1.2.1.

GHSA-6chf-hhqf-749c: Drupal OAuth2 Client Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal OAuth2 Client allows Cross Site Request Forgery. This issue affects OAuth2 Client: from 0.0.0 before 4.1.3.

GHSA-9w85-x5hg-fr66: Drupal AI Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Drupal AI (Artificial Intelligence) allows Cross Site Request Forgery. This issue affects AI (Artificial Intelligence): from 1.0.0 before 1.0.2.

CISA Warns of Sitecore RCE Flaws; Active Exploits Hit Next.js and DrayTek Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2019-9874 (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF

GHSA-528q-4pgm-wvg2: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

### Description The go-httpbin framework is vulnerable to XSS as the user can control the `Response Content-Type` from GET parameter. This allows attacker to execute cross site scripts in victims browser. ### Affected URLs: - `/response-headers?Content-Type=text/html&xss=%3Cimg/src/onerror=alert(%27xss%27)%3E` - `/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html` - `/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html` ### Steps to reproduce: 1. Visit one of the above mentioned URLs. 2. XSS window will popup ### Suggested fix - Allow Only Safe Content-Type Values Or give users option to define whitelisted Content-Type headers ### Criticality The following can be major impacts of the issue: * Access to victim's sensitive Personal Identifiable Information. * Access to CSRF token * Cookie injection * Phishing * And any other thing Javascript can perform

GHSA-969w-gqqr-g6j3: MLflow Cross-Site Request Forgery (CSRF) vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.