Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-4469: Profile Extra Fields by BestWebSoft <= 1.2.7 - Missing Authorization to Sensitive Information Exposure — Wordfence Intelligence

The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrflds_export_file function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially sensitive user data, including data entered into custom fields.

CVE
Open in Source
#vulnerability#web#wordpress#intel#perl#auth
GitHub's Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack. Validity checks, introduced by the Microsoft subsidiary earlier this year, alert users whether exposed tokens found by secret scanning are active, thereby allowing for effective remediation measures. It was first

Supermicro's BMC Firmware Found Vulnerable to Multiple Critical Vulnerabilities

Multiple security vulnerabilities have been disclosed in the Intelligent Platform Management Interface (IPMI) firmware for Supermicro baseboard management controllers (BMCs) that could result in privilege escalation and execution of malicious code on affected systems. The seven flaws, tracked from CVE-2023-40284 through CVE-2023-40290, vary in severity from High to Critical, according to Binarly

CVE-2023-26153: geokit-rails v2.3.2 Unsafe Deserialisation

Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system.

CVE-2023-43343: GitHub - sromanhu/CVE-2023-43343-Quick-CMS-Stored-XSS---Pages-Files: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a craft

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Files - Description parameter in the Pages Menu component.

CVE-2023-44024: [CVE-2023-44024] Improper neutralization of SQL parameters in KnowBand - One Page Checkout, Social Login & Mailchimp module for PrestaShop

SQL injection vulnerability in KnowBand Module One Page Checkout, Social Login & Mailchimp (supercheckout) v.8.0.3 and before allows a remote attacker to execute arbitrary code via a crafted request to the updateCheckoutBehaviour function in the supercheckout.php component.

CVE-2023-43983: [CVE-2023-43983] Improper neutralization of SQL parameter in Presto Changeo - Attribute Grid module for PrestaShop

Presto Changeo attributegrid up to 2.0.3 was discovered to contain a SQL injection vulnerability via the component disable_json.php.

CVE-2023-40920: [CVE-2023-40920] Improper neutralization of an SQL parameter in prixanconnect module for PrestaShop

Prixan prixanconnect up to v1.62 was discovered to contain a SQL injection vulnerability via the component CartsGuruCatalogModuleFrontController::importProducts().

CVE-2023-43981: [CVE-2023-43981] Deserialization of Untrusted Data in Presto Changeo - Test Site Creator module for PrestaShop

Presto Changeo testsitecreator up to 1.1.1 was discovered to contain a deserialization vulnerability via the component delete_excluded_folder.php.

CVE-2023-43260: CVE-2023-43260.md

Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the admin panel.