Shopware access control list bypassed via crafted specific URLs

Impact If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or...

GHSA-QC43-PGWQ-3Q2Q Shopware access control list bypassed via crafted specific URLs

Impact If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or...

CVE-2022-29489

CVE-2022-29489 describes a CSRF vulnerability in the WordPress Sucuri Security plugin (versions

CVE-2022-29489

Cross-Site Request Forgery CSRF vulnerability in Sucuri Security plugin = 1.8.33 at WordPress leading to Event log entry creation...

PT-2022-23193 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 5.7.15 Description: The issue allows users to bypass the Access Control List ACL if backend admin controllers are called with a certain notation, enabling them to execute actions they are normally not able to do...

PT-2022-23192 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 5.7.15 Description: The request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. There are no known workarounds for this issue...

CVE-2022-30946

A cross-site request forgery CSRF vulnerability in Jenkins Script Security Plugin 1158.v7c1b73a69a08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver...

Information disclosure

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features...

CVE-2022-35980 OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Versions 2.0.0.0 and 2.1.0.0 of the security plugin are affected by an information disclosure vulnerability. Requests to an OpenSearch cluster configured with advanced access control features...

OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information

Impact Requests to an OpenSearch cluster configured with advanced access control features document level security DLS, field level security FLS, and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to .kibana by...

GHSA-F4QR-F4XX-HJXW OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information

Impact Requests to an OpenSearch cluster configured with advanced access control features document level security DLS, field level security FLS, and/or field masking will not be filtered when the query's search pattern matches an aliased index. OpenSearch Dashboards creates an alias to .kibana by...

Shopware vulnerable to persistent cross site scripting (XSS) in customer module

Impact Persistent XSS in customer module Patches We recommend updating to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin:...

Malicious code in nexus-snyk-security-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c9a9124035b1fe2f2161f9aac3e2da676b6ee8a964eba9fb37b209daec9b3c08 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4834 Malicious code in nexus-snyk-security-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c9a9124035b1fe2f2161f9aac3e2da676b6ee8a964eba9fb37b209daec9b3c08 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview nexus-snyk-security-plugin is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if thi...

WordPress Security plugin跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress WordPress Security plugin versions prior to 4.2.1 have a cross-site scripting vulnerability that...

WordPress plugin WordPress Security 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress WordPress Security plugin versions prior to 4.2.1 have a cross-site scripting vulnerability that...

GHSA-Q754-VWC4-P6QJ Authenticated Stored Cross-site Scripting in Shopware

Impact Authenticated Stored XSS in Administration Patches We recommend updating to version 5.7.12. You can get the update to 5.7.12 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/de/changelog-sw5/5-7-12 For older versions you can use the Security...

Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF

The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. PoC The following PoC codes a...

Jenkins plugins Multiple Vulnerabilities (2022-05-17)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Jenkins Pipeline: Groovy Plugin 2689.v434009a31bf1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenki...