βΌ CVE-2023-22700 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in PixelYourSite PixelYourSite Γ’β¬β Your smart PIXEL (TAG) Manager plugin <= 9.3.0 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25991 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in RegistrationMagic plugin <= 5.1.9.2 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-38074 βΌ
π Read
via "National Vulnerability Database".
SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27063 βΌ
π Read
via "National Vulnerability Database".
Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the DNSDomainName parameter in the formModifyDnsForward function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26076 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Samsung Mobile Chipset and Baseband Modem Chipset for Exynos 1280, Exynos 2200, Exynos Modem 5123, Exynos Modem 5300, and Exynos Auto T5123. An intra-object overflow in the 5G SM message codec can occur due to insufficient parameter validation when decoding reserved options.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27093 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting vulnerability found in My-Blog allows attackers to cause a denial of service via the Post function.π Read
via "National Vulnerability Database".
β SHEIN shopping app goes rogue, grabs price and URL data from your clipboard β
π Read
via "Naked Security".
It's not exactly data theft, but it's worryingly close to "unintentional treachery" - apparently because it's great for marketing purposesπ Read
via "Naked Security".
Naked Security
SHEIN shopping app goes rogue, grabs price and URL data from your clipboard
Itβs not exactly data theft, but itβs worryingly close to βunintentional treacheryβ β apparently because itβs great for marketing purposes
π₯1
β Linux gets double-quick double-update to fix kernel Oops! β
π Read
via "Naked Security".
Linux doesn't BSoD. It has oopses and panics instead. (We show you how to make a kernel module to explore further.)π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2023-0538 βΌ
π Read
via "National Vulnerability Database".
The Campaign URL Builder WordPress plugin before 1.8.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0037 βΌ
π Read
via "National Vulnerability Database".
The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0749 βΌ
π Read
via "National Vulnerability Database".
The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25170 βΌ
π Read
via "National Vulnerability Database".
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0844 βΌ
π Read
via "National Vulnerability Database".
The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2023-0066 βΌ
π Read
via "National Vulnerability Database".
The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0477 βΌ
π Read
via "National Vulnerability Database".
The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0772 βΌ
π Read
via "National Vulnerability Database".
The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0172 βΌ
π Read
via "National Vulnerability Database".
The Juicer WordPress plugin before 1.11 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0073 βΌ
π Read
via "National Vulnerability Database".
The Client Logo Carousel WordPress plugin through 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4466 βΌ
π Read
via "National Vulnerability Database".
The WordPress Infinite Scroll WordPress plugin before 5.6.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4661 βΌ
π Read
via "National Vulnerability Database".
The Widgets for WooCommerce Products on Elementor WordPress plugin before 1.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0219 βΌ
π Read
via "National Vulnerability Database".
The FluentSMTP WordPress plugin before 2.2.3 does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks (XSS) when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML.π Read
via "National Vulnerability Database".