‼ CVE-2022-31161 ‼
📖 Read
via "National Vulnerability Database".
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25869 ‼
📖 Read
via "National Vulnerability Database".
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-32434 ‼
📖 Read
via "National Vulnerability Database".
EIPStackGroup OpENer v2.3.0 was discovered to contain a stack overflow via /bin/posix/src/ports/POSIX/OpENer+0x56073d.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35890 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-30634 ‼
📖 Read
via "National Vulnerability Database".
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36711 ‼
📖 Read
via "National Vulnerability Database".
WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36126 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script.📖 Read
via "National Vulnerability Database".
‼ CVE-2015-10003 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in FileZilla Server up to 0.9.50. This affects an unknown part of the component PORT Handler. The manipulation leads to unintended intermediary. It is possible to initiate the attack remotely. Upgrading to version 0.9.51 is able to address this issue. It is recommended to upgrade the affected component.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7641 ‼
📖 Read
via "National Vulnerability Database".
This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2149 ‼
📖 Read
via "National Vulnerability Database".
The Very Simple Breadcrumb WordPress plugin through 1.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2168 ‼
📖 Read
via "National Vulnerability Database".
The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2114 ‼
📖 Read
via "National Vulnerability Database".
The Data Tables Generator by Supsystic WordPress plugin before 1.10.20 does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24655 ‼
📖 Read
via "National Vulnerability Database".
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1933 ‼
📖 Read
via "National Vulnerability Database".
The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2118 ‼
📖 Read
via "National Vulnerability Database".
The 404s WordPress plugin before 3.5.1 does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2146 ‼
📖 Read
via "National Vulnerability Database".
The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2148 ‼
📖 Read
via "National Vulnerability Database".
The LinkedIn Company Updates WordPress plugin through 1.5.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1672 ‼
📖 Read
via "National Vulnerability Database".
The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2194 ‼
📖 Read
via "National Vulnerability Database".
The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2151 ‼
📖 Read
via "National Vulnerability Database".
The Best Contact Management Software WordPress plugin through 3.7.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2173 ‼
📖 Read
via "National Vulnerability Database".
The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".