Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence...

CVE-2024-22408 Server-Side Request Forgery (SSRF) in Shopware Flow Builder

Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts. This issue has been fix...

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2024 to January 7, 2024)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence...

GitLab < 15.7.8 (SECURITY-RELEASE-GITLAB-15-9-2-RELEASED)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A speciall...

GitLab 15.1 < 15.5.7 / 15.6 < 15.6.4 / 15.7 < 15.7.2 (CVE-2022-4342)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A...

CVE-2023-50259 Blind SSRF in /home/testslack endpoint

Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery SSRF. The testslack request handler in medusa/server/web/home/handler.py does not validate the user-controlled slackwebhook variable and passes i...

PT-2023-31512 · Medusa · Medusa

Name of the Vulnerable Software and Affected Versions: Medusa versions prior to 1.0.19 Description: Medusa is an automatic video library manager for TV shows. The issue is related to unauthenticated blind server-side request forgery SSRF. The testDiscord request handler in...

PT-2023-31513 · Medusa · Medusa

Name of the Vulnerable Software and Affected Versions: Medusa versions prior to 1.0.19 Description: Medusa is an automatic video library manager for TV shows. The issue is related to unauthenticated blind server-side request forgery SSRF. The testslack request handler in...

CVE-2023-50728

octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request w...

Cross site request forgery (csrf)

octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request w...

CVE-2023-50728

CVE-2023-50728 affects the octokit/webhooks library used by Node.js projects. The root cause is a flaw in error handling where an error can be undefined, causing an uncaught exception that terminates the Node.js process. Affected versions include 9.26.0 through 9.26.3, 10.9.2, 11.1.2, and 12.0.4....

CVE-2023-50728 Unauthenticated Denial of Service in the octokit/webhooks library

octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request w...

olcne security update

conmon 2.1.3-7 - Resolve CVE-2023-39325 2.1.3-6 - Add ol8baseoslatest, and ol9baseoslatest, to Jenkinsfile 2.1.3-5 - Add systemd-devel as build requirement 2.1.3-4 - Add support ARM build 2.1.3.3 - Add OL9 support 2.1.3.2 - Update inline with Linux team building conmon for all but OL7. cri-o...

PostHog Code Issues Vulnerabilities

PostHog is an all-in-one open source platform from PostHog Open Source. A code issue vulnerability exists in PostHog that stems from not verifying that a URL is local when enabling Webhook, allowing authenticated users to spoof POST requests...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence...

27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts

An unknown threat actor has been observed publishing typosquat packages to the Python Package Index PyPI repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 package...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th. Last week, ther...

UBUNTU-CVE-2023-46735

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in WebhookController returns unescaped user-submitted input. As of version 6.3.8, WebhookController now doesn't return any...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence...