Luka Sikic

Researcher fromINFIGO
#12895of 53,635
20.8Total CVSS
Vulnerabilities · 3
Medium
2
High
1
PT-2020-18364
5.5
2020-03-30
Symfony · Symfony · CVE-2020-5274
**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 4.4.5 and 5.0.5 symfony/http-foundation versions prior to 4.4.5 and 5.0.5 **Description** The issue arises from the `ErrorHandler` rendering unescaped properties of the Exception class when displaying the stacktrace, which was also visible in non-debug configurations. This has been resolved by ensuring the `ErrorHandler` escapes all properties from the Exception and only displays the stacktrace in debug configurations. **Recommendations** For Symfony versions prior to 4.4.5, update to version 4.4.5 or later. For Symfony versions prior to 5.0.5, update to version 5.0.5 or later. As a temporary workaround, consider configuring the environment to debug mode only when necessary to minimize the risk of exploitation.
PT-2020-20601
8.8
2020-03-16
Zoho · Manageengine Password Manager Pro · CVE-2020-9346
**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Password Manager Pro versions 10.4 and prior **Description** The issue concerns a lack of protection against Cross-site Request Forgery (CSRF) attacks. This can be demonstrated by an attacker changing a user's role. **Recommendations** For Zoho ManageEngine Password Manager Pro versions 10.4 and prior, consider implementing additional security measures to protect against CSRF attacks, such as validating request tokens, until a patch is available. As a temporary workaround, restrict access to sensitive user management functions to minimize the risk of exploitation.
PT-2019-15568
6.5
2019-11-02
Woocommerce · Currency Switcher · CVE-2019-18668
**Name of the Vulnerable Software and Affected Versions** Currency Switcher addon for WooCommerce versions prior to 2.11.2 **Description** An issue allows an attacker to purchase items at a significantly cheaper price by providing a non-existent currency that is worth less than the default currency. If a user provides a currency not added by the administrator, it will be selected, but the price amount will fall back to the default currency. **Recommendations** For versions prior to 2.11.2, update to version 2.11.2 or later to resolve the issue. As a temporary workaround, consider restricting the currency selection to only those added by the administrator to minimize the risk of exploitation.