‼ CVE-2022-2373 ‼
📖 Read
via "National Vulnerability Database".
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36036 ‼
📖 Read
via "National Vulnerability Database".
mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was patched in version(s) 1.3.0 and 2.0.0-rc2. There are currently no known workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1663 ‼
📖 Read
via "National Vulnerability Database".
The Stop Spam Comments WordPress plugin through 0.2.1.2 does not properly generate the Javascript access token for preventing abuse of comment section, allowing threat authors to easily collect the value and add it to the request.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36037 ‼
📖 Read
via "National Vulnerability Database".
kirby is a content management system (CMS) that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting (XSS) is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. If bad actors gain access to your group of authenticated Panel users they can escalate their privileges via the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible. The multiselect field allows selection of tags from an autocompleted list. Unfortunately, the Panel in Kirby 3.5 used HTML rendering for the raw option value. This allowed **attackers with influence on the options source** to store HTML code. The browser of the victim who visited a page with manipulated multiselect options in the Panel will then have rendered this malicious HTML code when the victim opened the autocomplete dropdown. Users are *not* affected by this vulnerability if you don't use the multiselect field or don't use it with options that can be manipulated by attackers. The problem has been patched in Kirby 3.5.8.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1123 ‼
📖 Read
via "National Vulnerability Database".
The Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) WordPress plugin before 3.12.5 does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2374 ‼
📖 Read
via "National Vulnerability Database".
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2556 ‼
📖 Read
via "National Vulnerability Database".
The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2559 ‼
📖 Read
via "National Vulnerability Database".
The Fluent Support WordPress plugin before 1.5.8 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection vulnerability exploitable by high privilege users📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2538 ‼
📖 Read
via "National Vulnerability Database".
The WP Hide & Security Enhancer WordPress plugin before 1.8 does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36557 ‼
📖 Read
via "National Vulnerability Database".
Seiko SkyBridge MB-A100/A110 v4.2.0 and below was discovered to contain an arbitrary file upload vulnerability via the restore backup function. This vulnerability allows attackers to execute arbitrary code via a crafted html file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-38625 ‼
📖 Read
via "National Vulnerability Database".
Patlite NH-FB v1.46 and below was discovered to contain insufficient firmware validation during the upgrade firmware file upload process. This vulnerability allows authenticated attackers to create and upload their own custom-built firmware and inject malicious code.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37681 ‼
📖 Read
via "National Vulnerability Database".
Hitachi Kokusai Electric Inc ISnex HC-IP9100HD Version 1.07 and below allows attackers to perform a directory traversal via a crafted GET request to the endpoint /ptippage.cgi.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36558 ‼
📖 Read
via "National Vulnerability Database".
Seiko SkyBridge MB-A100/A110 v4.2.0 and below implements a hard-coded passcode for the root account. Attackers are able to access the passcord via the file /etc/ciel.cfg.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36560 ‼
📖 Read
via "National Vulnerability Database".
Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain multiple hard-coded passcodes for root. Attackers are able to access the passcodes at /etc/srapi/config/system.conf and /usr/sbin/ssol-sshd.sh.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36553 ‼
📖 Read
via "National Vulnerability Database".
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36554 ‼
📖 Read
via "National Vulnerability Database".
A command injection vulnerability in the CLI (Command Line Interface) implementation of Hytec Inter HWL-2511-SS v1.05 and below allows attackers to execute arbitrary commands with root privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36555 ‼
📖 Read
via "National Vulnerability Database".
Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36559 ‼
📖 Read
via "National Vulnerability Database".
Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain a command injection vulnerability via the Ping parameter at ping_exec.cgi.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36556 ‼
📖 Read
via "National Vulnerability Database".
Seiko SkyBridge MB-A100/A110 v4.2.0 and below was discovered to contain a command injection vulnerability via the ipAddress parameter at 07system08execute_ping_01.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-37680 ‼
📖 Read
via "National Vulnerability Database".
An access control issue in Hitachi Kokusai Electric Inc ISnex HC-IP9100HD Version 1.07 and below allows attackers to remotely reboot the device via a crafted POST request to the endpoint /ptipupgrade.cgi.📖 Read
via "National Vulnerability Database".
👍1
‼ CVE-2022-36712 ‼
📖 Read
via "National Vulnerability Database".
Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /staff/studentdetails.php.📖 Read
via "National Vulnerability Database".