βΌ CVE-2022-2921 βΌ
π Read
via "National Vulnerability Database".
This will lead to privilege escalation from AP officers account to the System Administrator account. and gain more functionality such as Create/Update Companies. Install/Update Languages. Install/Activate Extensions. Install/Activate Themes. Install/Activate Chart of Accounts. Software Upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30036 βΌ
π Read
via "National Vulnerability Database".
MA Lighting grandMA2 Light has a password of root for the root account. NOTE: The vendor's position is that the product was designed for isolated networks. Also, the successor product, grandMA3, is not affected by this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-36198 βΌ
π Read
via "National Vulnerability Database".
Multiple SQL injections detected in Bus Pass Management System 1.0 via buspassms/admin/view-enquiry.php, buspassms/admin/pass-bwdates-reports-details.php, buspassms/admin/changeimage.php, buspassms/admin/search-pass.php, buspassms/admin/edit-category-detail.php, and buspassms/admin/edit-pass-detail.phpπ Read
via "National Vulnerability Database".
βΌ CVE-2022-36251 βΌ
π Read
via "National Vulnerability Database".
Clinic's Patient Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via patients.php.π Read
via "National Vulnerability Database".
β Fake Reservation Links Prey on Weary Travelers β
π Read
via "Threat Post".
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.π Read
via "Threat Post".
Threat Post
Fake Reservation Links Prey on Weary Travelers
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
βΌ CVE-2022-1340 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-2930 βΌ
π Read
via "National Vulnerability Database".
Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.π Read
via "National Vulnerability Database".
π1
β Laptop denial-of-service via music: the 1980s R&B song with a CVE! β
π Read
via "Naked Security".
We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)π Read
via "Naked Security".
Naked Security
Laptop denial-of-service via music: the 1980s R&B song with a CVE!
We havenβt validated this vuln ourselvesβ¦ but the source of the story is impeccable. (Impeccably dressed, at least.)
βΌ CVE-2022-2312 βΌ
π Read
via "National Vulnerability Database".
The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2594 βΌ
π Read
via "National Vulnerability Database".
The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. This vulnerability was introduced in the 5.0 rewrite and did not exist prior to that release.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3586 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2022-2593 βΌ
π Read
via "National Vulnerability Database".
The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24911 βΌ
π Read
via "National Vulnerability Database".
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.π Read
via "National Vulnerability Database".
βΌ CVE-2022-33900 βΌ
π Read
via "National Vulnerability Database".
PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2890 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2555 βΌ
π Read
via "National Vulnerability Database".
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2392 βΌ
π Read
via "National Vulnerability Database".
The Lana Downloads Manager WordPress plugin before 1.8.0 is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher.π Read
via "National Vulnerability Database".
βΌ CVE-2022-35654 βΌ
π Read
via "National Vulnerability Database".
Pega Platform from 8.5.4 to 8.7.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2557 βΌ
π Read
via "National Vulnerability Database".
The Team WordPress plugin before 4.1.2 contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the userπ Read
via "National Vulnerability Database".
βΌ CVE-2022-2362 βΌ
π Read
via "National Vulnerability Database".
The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based download blocking restrictions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-2558 βΌ
π Read
via "National Vulnerability Database".
The Simple Job Board WordPress plugin before 2.10.0 is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations.π Read
via "National Vulnerability Database".