CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-21275 – CSRF in MediaWiki Report extension
https://notcve.org/view.php?id=CVE-2021-21275
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens. La extensión "Report" de MediaWiki presenta una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF). Antes de la versión corregida, no había protección contra las comprobaciones de CSRF en Special:Report, por lo que las peticiones para reportar una revisión podrían ser falsificadas. • https://github.com/Kenny2github/Report/commit/f828dc6f73cdfaea5639edbf8ac7b326eeefb117 https://github.com/Kenny2github/Report/security/advisories/GHSA-9f3w-c334-jm2h https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-25012
https://notcve.org/view.php?id=CVE-2019-25012
The Webform Report project 7.x-1.x-dev for Drupal allows remote attackers to view submissions by visiting the /rss.xml page. NOTE: This project is not covered by Drupal's security advisory policy. El proyecto Webform Report versiones 7.x-1.x-dev para Drupal, permite a atacantes remotos visualizar presentaciones al visitar la página /rss.xml. NOTA: Este proyecto no está cubierto por la política de avisos de seguridad de Drupal. • https://www.drupal.org/project/webform_report/issues/3101410 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2019-18932
https://notcve.org/view.php?id=CVE-2019-18932
log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows local privilege escalation. By default, it uses a fixed temporary directory /tmp/sarg. As the root user, sarg creates this directory or reuses an existing one in an insecure manner. An attacker can pre-create the directory, and place symlinks in it (after winning a /tmp/sarg/denied.int_unsort race condition). The outcome will be corrupted or newly created files in privileged file system locations. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00051.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00063.html http://www.openwall.com/lists/oss-security/2020/01/20/6 http://www.openwall.com/lists/oss-security/2020/01/27/1 https://bugzilla.suse.com/show_bug.cgi?id=1150554 https://seclists.org/oss-sec/2020/q1/23 https://security.gentoo.org/glsa/202007-32 https://sourceforge.net/projects/sarg • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •