βΌ CVE-2022-29853 βΌ
π Read
via "National Vulnerability Database".
OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45466 βΌ
π Read
via "National Vulnerability Database".
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, attackers can make a crafted request to api/?api=add_server&DHCP= to add an authorized_keys text file in the /resources/ folder.π Read
via "National Vulnerability Database".
βΌ CVE-2022-37308 βΌ
π Read
via "National Vulnerability Database".
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-24117 βΌ
π Read
via "National Vulnerability Database".
Certain General Electric Renewable Energy products download firmware without an integrity check. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before 1.2.6.π Read
via "National Vulnerability Database".
β LastPass finally admits: Those crooks who got in? They did steal your password vaults, after allβ¦ β
π Read
via "Naked Security".
The crooks now know who you are, where you live, which computers are yours, where you go online... and they got those password vaults, too.π Read
via "Naked Security".
Naked Security
LastPass finally admits: Those crooks who got in? They did steal your password vaults, after allβ¦
The crooks now know who you are, where you live, which computers are yours, where you go online⦠and they got those password vaults, too.
βΌ CVE-2022-4266 βΌ
π Read
via "National Vulnerability Database".
The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attackπ Read
via "National Vulnerability Database".
βΌ CVE-2022-4042 βΌ
π Read
via "National Vulnerability Database".
The Paytium: Mollie payment forms & donations WordPress plugin through 4.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-4156 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4268 βΌ
π Read
via "National Vulnerability Database".
The Plugin Logic WordPress plugin through 1.0.7 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as adminπ Read
via "National Vulnerability Database".
βΌ CVE-2022-3835 βΌ
π Read
via "National Vulnerability Database".
The Kwayy HTML Sitemap WordPress plugin before 4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-4157 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4150 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4152 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4197 βΌ
π Read
via "National Vulnerability Database".
The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-4158 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4120 βΌ
π Read
via "National Vulnerability Database".
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chainπ Read
via "National Vulnerability Database".
βΌ CVE-2022-4243 βΌ
π Read
via "National Vulnerability Database".
The ImageInject WordPress plugin through TODO does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2022-4164 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4227 βΌ
π Read
via "National Vulnerability Database".
The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24942 βΌ
π Read
via "National Vulnerability Database".
The Menu Item Visibility Control WordPress plugin through 0.5 doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4166 βΌ
π Read
via "National Vulnerability Database".
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.π Read
via "National Vulnerability Database".