Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

GHSA-p379-cxqh-q822: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

### Impact SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights. ### Patches PrestaShop 8.0.4 and 1.7.8.9 will contain the patch. ### Workarounds no ### References no

ghsa
#sql#vulnerability#git
CVE-2023-30839: SQL filter bypass leading to arbitrary write requests using "SQL Manager"

PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.

CVE-2021-23166: [SEC] CVE-2021-23166 - A sandboxing issue in Odoo Community 15.0 and... · Issue #107687 · odoo/odoo

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and write local files on the server.

CVE-2023-23837: DPA 2023.2 Release Notes

No exception handling vulnerability which revealed sensitive or excessive information to users.

CVE-2023-30545: Arbitrary file read

PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9

Red Hat Security Advisory 2023-1961-01

Red Hat Security Advisory 2023-1961-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a denial of service vulnerability.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

CVE-2023-1020

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CVE-2023-0388

The Random Text WordPress plugin through 0.3.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

CVE-2023-26865: Dropshipping apps available integrations with BDroppy - BDroppy

SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.