π¨ CVE-2021-28418
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter.
π@cveNotify
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter.
π@cveNotify
GitHub
XSS Vulnerability in "category" parameter Β· Issue #207 Β· seopanel/Seo-Panel
Hi team, I would like to report XSS vulnerability. Description A cross-site scripting (XSS) issue in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via th...
π¨ CVE-2021-28417
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter.
π@cveNotify
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter.
π@cveNotify
GitHub
XSS Vulnerability in "search_name" parameter Β· Issue #208 Β· seopanel/Seo-Panel
Hi team, I would like to report XSS vulnerability. Description A cross-site scripting (XSS) issue in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via th...
π¨ CVE-2021-28420
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.
π@cveNotify
A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.
π@cveNotify
GitHub
XSS Vulnerablity in "from_time" parameter Β· Issue #206 Β· seopanel/Seo-Panel
Hi team, I would like to report XSS vulnerability. Description A cross-site scripting (XSS) issue in the SEO admin login panel in version 4.8.0 allows remote attackers to inject JavaScript via the ...
π¨ CVE-2021-28419
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.
π@cveNotify
The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases.
π@cveNotify
GitHub
Time-based blind SQLi Injection Vulnerability in "order_col" parameter Β· Issue #209 Β· seopanel/Seo-Panel
Hi Team I would like to report Time-based blind SQLI. Description: SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to i...
π¨ CVE-2020-19417
Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users (such as the default account 'maint') to perform administrative tasks by sending specially crafted HTTP requests to the application.
π@cveNotify
Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users (such as the default account 'maint') to perform administrative tasks by sending specially crafted HTTP requests to the application.
π@cveNotify
Packetstormsecurity
Emerson Smart Wireless Gateway 1420 4.6.59 Privilege Escalation β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π¨ CVE-2020-13977
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
π@cveNotify
Nagios 4.4.5 allows an attacker, who already has administrative access to change the "URL for JSON CGIs" configuration setting, to modify the Alert Histogram and Trends code via crafted versions of the archivejson.cgi, objectjson.cgi, and statusjson.cgi files. NOTE: this vulnerability has been mistakenly associated with CVE-2020-1408.
π@cveNotify
Blog Simple
Nagios Core 4.4.5 β URL Injection (CVE-2020-13977)
π¨ CVE-2020-14989
An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows CSRF if the attacker uses GET where POST was intended.
π@cveNotify
An issue was discovered in Bloomreach Experience Manager (brXM) 4.1.0 through 14.2.2. It allows CSRF if the attacker uses GET where POST was intended.
π@cveNotify
tvrbk
Bloomreach Experience Manager 14.2.2
Bloomreach Experience Manager (brXM) was vulnerable to (CVE-2020-14988) cross-site scripting, (CVE-2020-14989) cross-site request forgery and (CVE-2020-14987) remote code execution. Details were shared with Bloomreach whereafter the CVEs were reserved.
π¨ CVE-2020-19419
Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.
π@cveNotify
Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication.
π@cveNotify
Packetstormsecurity
Emerson Smart Wireless Gateway 1420 4.6.59 Missing Authentication β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π¨ CVE-2020-0595
Use after free in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
π@cveNotify
Use after free in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
π@cveNotify
Netapp
Intel SA-00295 AMT Vulnerabilities in NetApp Products | NetApp Product Security
Multiple NetApp products incorporate Intel technology. Intel Active Management Technology versions prior to 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33 and 14.5.12 are susceptible to vulnerabilities which when successfully exploited could leadβ¦
π¨ CVE-2020-0594
Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
π@cveNotify
Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
π@cveNotify
Netapp
Intel SA-00295 AMT Vulnerabilities in NetApp Products | NetApp Product Security
Multiple NetApp products incorporate Intel technology. Intel Active Management Technology versions prior to 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33 and 14.5.12 are susceptible to vulnerabilities which when successfully exploited could leadβ¦
π¨ CVE-2020-0597
Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 14.0.33 may allow an unauthenticated user to potentially enable denial of service via network access.
π@cveNotify
Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 14.0.33 may allow an unauthenticated user to potentially enable denial of service via network access.
π@cveNotify
Netapp
Intel SA-00295 AMT Vulnerabilities in NetApp Products | NetApp Product Security
Multiple NetApp products incorporate Intel technology. Intel Active Management Technology versions prior to 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33 and 14.5.12 are susceptible to vulnerabilities which when successfully exploited could leadβ¦
π¨ CVE-2019-10172
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
π@cveNotify
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
π@cveNotify
π¨ CVE-2019-10202
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
π@cveNotify
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
π@cveNotify
π¨ CVE-2020-8674
Out-of-bounds read in DHCPv6 subsystem in Intel(R) AMT and Intel(R)ISM versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64 and 14.0.33 may allow an unauthenticated user to potentially enable information disclosure via network access.
π@cveNotify
Out-of-bounds read in DHCPv6 subsystem in Intel(R) AMT and Intel(R)ISM versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64 and 14.0.33 may allow an unauthenticated user to potentially enable information disclosure via network access.
π@cveNotify
Netapp
Intel SA-00295 AMT Vulnerabilities in NetApp Products | NetApp Product Security
Multiple NetApp products incorporate Intel technology. Intel Active Management Technology versions prior to 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33 and 14.5.12 are susceptible to vulnerabilities which when successfully exploited could leadβ¦
π¨ CVE-2021-24129
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.
π@cveNotify
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.
π@cveNotify
π¨ CVE-2021-24133
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
π@cveNotify
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
π@cveNotify
Wpscan
WPScan: WordPress Security
A WordPress vulnerability database for WordPress core security vulnerabilities, plugin vulnerabilities and theme vulnerabilities.
π¨ CVE-2021-24139
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.
π@cveNotify
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.
π@cveNotify
WPScan
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection
See details on Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection CVE 2021-24139. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2021-24145
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
π@cveNotify
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
π@cveNotify
WPScan
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
See details on Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE CVE 2021-24145. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2021-24136
Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters:
- Author
- Job Title
- Location
- Company
- Email
- URL
π@cveNotify
Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters:
- Author
- Job Title
- Location
- Company
- URL
π@cveNotify
Wpscan
WPScan: WordPress Security
A WordPress vulnerability database for WordPress core security vulnerabilities, plugin vulnerabilities and theme vulnerabilities.
π¨ CVE-2021-24138
Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user.
π@cveNotify
Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user.
π@cveNotify