Latest vulnerabilities of Sunday, November 12, 2023

Latest vulnerabilities of Sunday, November 12, 2023
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/VULNERABILITIES-REPORTS-LOGO.png
{{titre}}

Last update performed on 11/12/2023 at 11:57:02 PM

(0) CRITICAL VULNERABILITIES [9.0, 10.0]

(0) HIGH VULNERABILITIES [7.0, 8.9]

(11) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : vuldb.com

Vulnerability ID : CVE-2023-6084

First published on : 12-11-2023 11:15:07
Last modified on : 12-11-2023 11:15:07

Description :
A vulnerability was found in Tongda OA 2017 up to 11.9 and classified as critical. Affected by this issue is some unknown functionality of the file general/vehicle/checkup/delete.php. The manipulation of the argument VU_ID leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. VDB-244994 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2023-6084
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/T1ANGzy/cve/blob/main/sql.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.244994 | source : cna@vuldb.com
https://vuldb.com/?id.244994 | source : cna@vuldb.com

Vulnerability : CWE-89


Source : patchstack.com

Vulnerability ID : CVE-2023-28497

First published on : 12-11-2023 22:15:28
Last modified on : 12-11-2023 22:15:28

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Slideshow Gallery LITE plugin <= 1.7.6 versions.

CVE ID : CVE-2023-28497
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/slideshow-gallery/wordpress-slideshow-gallery-lite-plugin-1-7-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28618

First published on : 12-11-2023 22:15:29
Last modified on : 12-11-2023 22:15:29

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Enhanced Plugin Admin plugin <= 1.16 versions.

CVE ID : CVE-2023-28618
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/enhanced-plugin-admin/wordpress-enhanced-plugin-admin-plugin-1-16-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28694

First published on : 12-11-2023 22:15:29
Last modified on : 12-11-2023 22:15:29

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Wbcom Designs Wbcom Designs โ€“ BuddyPress Activity Social Share plugin <= 3.5.0 versions.

CVE ID : CVE-2023-28694
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/bp-activity-social-share/wordpress-wbcom-designs-buddypress-activity-social-share-plugin-3-4-0-cross-site-request-forgery-csrf?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-29425

First published on : 12-11-2023 22:15:30
Last modified on : 12-11-2023 22:15:30

Description :
Cross-Site Request Forgery (CSRF) vulnerability in plainware.Com ShiftController Employee Shift Scheduling plugin <= 4.9.23 versions.

CVE ID : CVE-2023-29425
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/shiftcontroller/wordpress-shiftcontroller-employee-shift-scheduling-plugin-4-9-23-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28495

First published on : 12-11-2023 22:15:28
Last modified on : 12-11-2023 22:15:28

Description :
Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop WP Shortcode by MyThemeShop plugin <= 1.4.16 versions.

CVE ID : CVE-2023-28495
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/wp-shortcode/wordpress-wp-shortcode-by-mythemeshop-plugin-1-4-16-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28498

First published on : 12-11-2023 22:15:29
Last modified on : 12-11-2023 22:15:29

Description :
Cross-Site Request Forgery (CSRF) vulnerability in MotoPress Hotel Booking Lite plugin <= 4.6.0 versions.

CVE ID : CVE-2023-28498
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/motopress-hotel-booking-lite/wordpress-hotel-booking-lite-plugin-4-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28696

First published on : 12-11-2023 22:15:29
Last modified on : 12-11-2023 22:15:29

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Harish Chouhan, Themeist I Recommend Tplugin <= 3.9.0 versions.

CVE ID : CVE-2023-28696
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/i-recommend-this/wordpress-i-recommend-this-plugin-3-8-3-cross-site-request-forgery-csrf?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28930

First published on : 12-11-2023 22:15:29
Last modified on : 12-11-2023 22:15:29

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Robin Phillips Mobile Banner plugin <= 1.5 versions.

CVE ID : CVE-2023-28930
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/mobile-banner/wordpress-mobile-banner-plugin-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-28987

First published on : 12-11-2023 22:15:29
Last modified on : 12-11-2023 22:15:29

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions.

CVE ID : CVE-2023-28987
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/wp-ultimate-review/wordpress-wp-ultimate-review-plugin-2-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-29238

First published on : 12-11-2023 22:15:30
Last modified on : 12-11-2023 22:15:30

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Whydonate Whydonate โ€“ FREE Donate button โ€“ Crowdfunding โ€“ Fundraising plugin <= 3.12.15 versions.

CVE ID : CVE-2023-29238
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/wp-whydonate/wordpress-whydonate-plugin-3-12-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


(0) LOW VULNERABILITIES [0.1, 3.9]

(2) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : apache.org

Vulnerability ID : CVE-2023-42781

First published on : 12-11-2023 14:15:25
Last modified on : 12-11-2023 15:15:07

Description :
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are advised to upgrade to version 2.7.3 or newer to mitigate the risk associated with this vulnerability.

CVE ID : CVE-2023-42781
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2023/11/12/2 | source : security@apache.org
https://github.com/apache/airflow/pull/34939 | source : security@apache.org
https://lists.apache.org/thread/7dnl8nszdxqyns57f3dw0sloy5dfl9o1 | source : security@apache.org

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-47037

First published on : 12-11-2023 14:15:25
Last modified on : 12-11-2023 15:15:07

Description :
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability.

CVE ID : CVE-2023-47037
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2023/11/12/1 | source : security@apache.org
https://github.com/apache/airflow/pull/33413 | source : security@apache.org
https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0 | source : security@apache.org

Vulnerability : CWE-863


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.