Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

CVE-2023-48200: GitHub - grocy/grocy: ERP beyond your fridge - Grocy is a web-based self-hosted groceries & household management solution for your home

Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component.

CVE
#sql#xss#vulnerability#web#windows#linux#nodejs#js#git#php#nginx#auth#docker#chrome#firefox
CVE-2023-4690: Elementor Addon Elements <= 1.12.7 - Cross-Site Request Forgery — Wordfence Intelligence

The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_config function. This makes it possible for unauthenticated attackers to change configuration settings for the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-4689: Elementor Addon Elements <= 1.12.7 - Cross-Site Request Forgery — Wordfence Intelligence

The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_elements function. This makes it possible for unauthenticated attackers to enable/disable elementor addon elements via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-48365: Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-pending)

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

CVE-2023-47444: Static Code Injections in OpenCart (CVE-2023-47444)

An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.

Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

By Waqas Chinese scammers have been creating cloned versions of legitimate websites, redirecting visitors to gambling sites. This is a post from HackRead.com Read the original post: Chinese Scammers Exploit Cloned Websites in Vast Gambling Network

Google’s New Titan Security Key Adds Another Piece to the Password-Killing Puzzle

The new generation of hardware authentication key includes support for cryptographic passkeys as Google pushes adoption of the more secure login alternative.

Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises

By Waqas Domain squatting can lead you to malicious websites, and it might be too late to realize what actually happened. This is a post from HackRead.com Read the original post: Domain Squatting and Brand Hijacking: A Silent Threat to Digital Enterprises

CVE-2023-34982

This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.

Red Hat Security Advisory 2023-7213-01

Red Hat Security Advisory 2023-7213-01 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.