Security
Headlines
HeadlinesLatestCVEs

Tag

#perl

CVE-2023-1068: Download Read More Excerpt Link <= 1.6.0 - Cross-Site Request Forgery to Settings Update — Wordfence Intelligence Community Edition

The Download Read More Excerpt Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.0. This is due to missing or incorrect nonce validation on the read_more_excerpt_link_menu_options() function. This makes it possible for unauthenticated attackers to update he plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE
Open in Source
#vulnerability#wordpress#intel#perl#auth
CVE-2023-26091: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers)

The frp_form_answers (aka Forms Export) extension before 3.1.2, and 4.x before 4.0.2, for TYPO3 allows XSS via saved emails.

CVE-2023-26545

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

CVE-2023-26037: SQL injection in report_event_audit

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.

CVE-2023-26036: Local File Inclusion vulnerability

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../". This issue is patched in versions 1.36.33 and 1.37.33.

Simple Food Ordering System 1.0 Cross Site Scripting

Simple Food Ordering System version 1.0 suffers from a cross site scripting vulnerability.

Music Gallery Site 1.0 SQL Injection

Music Gallery Site version 1.0 suffers from multiple remote SQL injection vulnerabilities.

Music Gallery Site 1.0 Privilege Escalation / Missing Authentication

Music Gallery Site version 1.0 suffers from a missing authentication vulnerability that allows for privilege escalation.

CVE-2023-1029: WP Meta SEO <= 4.5.3 - Cross-Site Request Forgery via 'regenerateSitemaps' — Wordfence Intelligence Community Edition

The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the regenerateSitemaps function. This makes it possible for unauthenticated attackers to regenerate Sitemaps via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Employee Task Management System 1.0 SQL Injection

Employee Task Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.