๐จ CVE-2019-9978
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
๐@cveNotify
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2019-0211
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
๐@cveNotify
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
๐@cveNotify
๐จ CVE-2024-27139
** UNSUPPORTED WHEN ASSIGNED **
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
** UNSUPPORTED WHEN ASSIGNED **
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
๐จ CVE-2024-6970
A vulnerability classified as critical has been found in itsourcecode Tailoring Management System 1.0. Affected is an unknown function of the file /staffcatadd.php. The manipulation of the argument title leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272124.
๐@cveNotify
A vulnerability classified as critical has been found in itsourcecode Tailoring Management System 1.0. Affected is an unknown function of the file /staffcatadd.php. The manipulation of the argument title leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272124.
๐@cveNotify
๐จ CVE-2024-41709
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.
๐@cveNotify
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission.
๐@cveNotify
๐จ CVE-2024-5004
The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
๐@cveNotify
The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
๐@cveNotify
WPScan
CM Popup Plugin for WordPress < 1.6.6 - Contributor+ Stored XSS
See details on CM Popup Plugin for WordPress < 1.6.6 - Contributor+ Stored XSS CVE 2024-5004. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-5529
The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
๐@cveNotify
The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
๐@cveNotify
WPScan
WP QuickLaTeX < 3.8.8 - Admin+ Stored XSS
See details on WP QuickLaTeX < 3.8.8 - Admin+ Stored XSS CVE 2024-5529. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-5973
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have.
๐@cveNotify
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have.
๐@cveNotify
WPScan
MasterStudy LMS < 3.3.24 - Privilege Escalation to Instructor
See details on MasterStudy LMS < 3.3.24 - Privilege Escalation to Instructor CVE 2024-5973. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-6243
The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.
๐@cveNotify
The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.
๐@cveNotify
WPScan
HTML Forms < 1.3.33 - Admin+ Stored XSS
See details on HTML Forms < 1.3.33 - Admin+ Stored XSS CVE 2024-6243. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-6244
The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
๐@cveNotify
The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
๐@cveNotify
WPScan
pz-frontend-manager < 1.0.6 - CSRF change user profile picture
See details on pz-frontend-manager < 1.0.6 - CSRF change user profile picture CVE 2024-6244. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-6271
The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack
๐@cveNotify
The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack
๐@cveNotify
WPScan
Community Events < 1.5 - Event Deletion via CSRF
See details on Community Events < 1.5 - Event Deletion via CSRF CVE 2024-6271. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-37391
ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss.
๐@cveNotify
ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss.
๐@cveNotify
GitHub
Fix drive installer path ยท ProtonVPN/win-app@2e4e250
Official ProtonVPN Windows app. Contribute to ProtonVPN/win-app development by creating an account on GitHub.
๐จ CVE-2024-41806
The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.
๐@cveNotify
The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.
๐@cveNotify
GitHub
Merge commit from fork ยท openedx/openedx-platform@cb729a3
fix: libraries across orgs
๐จ CVE-2023-1711
A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements.
If exploited an attacker could obtain confidential information.
List of CPEs:
* cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:*
*
* cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:*
๐@cveNotify
A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements.
If exploited an attacker could obtain confidential information.
List of CPEs:
* cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:*
*
* cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:*
* cpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:*
๐@cveNotify
๐จ CVE-2024-38784
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Beaver Builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.6.1.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Beaver Builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.6.1.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Livemesh Addons for Beaver Builder Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-38785
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jegstudio Gutenverse allows Stored XSS.This issue affects Gutenverse: from n/a through 1.9.2.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jegstudio Gutenverse allows Stored XSS.This issue affects Gutenverse: from n/a through 1.9.2.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Gutenverse Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-38786
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BurgerThemes CoziPress allows Stored XSS.This issue affects CoziPress: from n/a through 1.0.30.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BurgerThemes CoziPress allows Stored XSS.This issue affects CoziPress: from n/a through 1.0.30.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress CoziPress Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-37459
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PayPlus LTD PayPlus Payment Gateway allows Reflected XSS.This issue affects PayPlus Payment Gateway: from n/a through 6.6.8.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PayPlus LTD PayPlus Payment Gateway allows Reflected XSS.This issue affects PayPlus Payment Gateway: from n/a through 6.6.8.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress PayPlus Payment Gateway Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-37460
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SuperSaaS SuperSaaS โ online appointment scheduling allows Stored XSS.This issue affects SuperSaaS โ online appointment scheduling: from n/a through 2.1.9.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SuperSaaS SuperSaaS โ online appointment scheduling allows Stored XSS.This issue affects SuperSaaS โ online appointment scheduling: from n/a through 2.1.9.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress SuperSaaS โ online appointment scheduling Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-37461
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Martin Gibson IdeaPush allows Stored XSS.This issue affects IdeaPush: from n/a through 8.65.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Martin Gibson IdeaPush allows Stored XSS.This issue affects IdeaPush: from n/a through 8.65.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress IdeaPush Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-37465
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Senol Sahin GPT3 AI Content Writer allows Stored XSS.This issue affects GPT3 AI Content Writer: from n/a through 1.8.66.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Senol Sahin GPT3 AI Content Writer allows Stored XSS.This issue affects GPT3 AI Content Writer: from n/a through 1.8.66.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress GPT3 AI Content Writer Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.