‼ CVE-2022-2340 ‼
📖 Read
via "National Vulnerability Database".
The W-DALIL WordPress plugin through 2.0 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2219 ‼
📖 Read
via "National Vulnerability Database".
The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1551 ‼
📖 Read
via "National Vulnerability Database".
The SP Project & Document Manager WordPress plugin through 4.57 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2299 ‼
📖 Read
via "National Vulnerability Database".
The Allow SVG Files WordPress plugin through 1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1539 ‼
📖 Read
via "National Vulnerability Database".
The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0594 ‼
📖 Read
via "National Vulnerability Database".
The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0899 ‼
📖 Read
via "National Vulnerability Database".
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2239 ‼
📖 Read
via "National Vulnerability Database".
The Request a Quote WordPress plugin through 2.3.7 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.📖 Read
via "National Vulnerability Database".
🗓️ Cisco patches dangerous bug trio in Nexus Dashboard 🗓️
📖 Read
via "The Daily Swig".
Inadequate access control and CSRF protections spawn critical and high severity issues📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Cisco patches dangerous bug trio in Nexus Dashboard
Inadequate access control and CSRF protections spawn critical and high severity issues
🕴 Aqua Launches Out-of-the-Box Runtime Security with Advanced Protection against the Most Sophisticated Threats 🕴
📖 Read
via "Dark Reading".
Security professionals can now achieve real-time protection for their workloads in minutes.📖 Read
via "Dark Reading".
Dark Reading
Aqua Launches Out-of-the-Box Runtime Security with Advanced Protection against the Most Sophisticated Threats
Security professionals can now achieve real-time protection for their workloads in minutes.
‼ CVE-2022-1312 ‼
📖 Read
via "National Vulnerability Database".
Use after free in storage in Google Chrome prior to 100.0.4896.88 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-33965 ‼
📖 Read
via "National Vulnerability Database".
Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28441 ‼
📖 Read
via "National Vulnerability Database".
This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2522 ‼
📖 Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0060.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40335 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1308 ‼
📖 Read
via "National Vulnerability Database".
Use after free in BFCache in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-21802 ‼
📖 Read
via "National Vulnerability Database".
The package grapesjs before 0.19.5 are vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-0670 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Openstack manilla owning a Ceph File system "share", which enables the owner to read/write any manilla share or entire file system. The vulnerability is due to a bug in the "volumes" plugin in Ceph Manager. This allows an attacker to compromise Confidentiality and Integrity of a file system. Fixed in RHCS 5.2 and Ceph 17.2.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1307 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in full screen in Google Chrome on Android prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1306 ‼
📖 Read
via "National Vulnerability Database".
Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2514 ‼
📖 Read
via "National Vulnerability Database".
The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.📖 Read
via "National Vulnerability Database".