π¨ CVE-2024-43936
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper EmbedPress allows Stored XSS.This issue affects EmbedPress: from n/a through 4.0.8.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper EmbedPress allows Stored XSS.This issue affects EmbedPress: from n/a through 4.0.8.
π@cveNotify
Patchstack
WordPress EmbedPress plugin <= 4.0.8 - Cross Site Scripting (XSS) vulnerability - Patchstack
Hand curated, verified and enriched vulnerability information by Patchstack security experts. Find all WordPress plugin, theme and core security issues.
π¨ CVE-2024-43946
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SKT Themes SKT Blocks β Gutenberg based Page Builder allows Stored XSS.This issue affects SKT Blocks β Gutenberg based Page Builder: from n/a through 1.5.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SKT Themes SKT Blocks β Gutenberg based Page Builder allows Stored XSS.This issue affects SKT Blocks β Gutenberg based Page Builder: from n/a through 1.5.
π@cveNotify
Patchstack
WordPress SKT Blocks plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability - Patchstack
Hand curated, verified and enriched vulnerability information by Patchstack security experts. Find all WordPress plugin, theme and core security issues.
π¨ CVE-2023-45560
An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
π@cveNotify
An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
π@cveNotify
GitHub
CVE-reports/CVE-2023-45560.md at main Β· syz913/CVE-reports
Contribute to syz913/CVE-reports development by creating an account on GitHub.
π¨ CVE-2023-43901
Incorrect access control in the AdHoc User creation form of EMSigner v2.8.7 allows unauthenticated attackers to arbitrarily modify usernames and privileges by using the email address of a registered user.
π@cveNotify
Incorrect access control in the AdHoc User creation form of EMSigner v2.8.7 allows unauthenticated attackers to arbitrarily modify usernames and privileges by using the email address of a registered user.
π@cveNotify
Cybersecurity Experts |Pentesting|Security|Hacking|Vulnerability|Training|Course|SecPro
EMSigner CVE 1 | Cybersecurity Experts |Pentesting|Security|Hacking|Vulnerability|Training|Course|SecPro
π¨ CVE-2024-8088
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected.
When iterating over names of entries in a zip archive (for example, methods
of "zipfile.Path" like "namelist()", "iterdir()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
π@cveNotify
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected.
When iterating over names of entries in a zip archive (for example, methods
of "zipfile.Path" like "namelist()", "iterdir()", etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
π@cveNotify
GitHub
gh-123270: Replaced SanitizedNames with a more surgical fix. (#123354) Β· python/cpython@2231286
Applies changes from zipp 3.20.1 and jaraco/zipp#124
π¨ CVE-2024-7691
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators.
π@cveNotify
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators.
π@cveNotify
WPScan
Flaming Forms <= 1.0.1 - Unauthenticated Stored XSS
See details on Flaming Forms <= 1.0.1 - Unauthenticated Stored XSS CVE 2024-7691. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-7692
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
π@cveNotify
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
π@cveNotify
WPScan
Flaming Forms <= 1.0.1 - Reflected XSS
See details on Flaming Forms <= 1.0.1 - Reflected XSS CVE 2024-7692. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-45622
ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.
π@cveNotify
ASIS (aka Aplikasi Sistem Sekolah using CodeIgniter 3) 3.0.0 through 3.2.0 allows index.php username SQL injection for Authentication Bypass.
π@cveNotify
GitHub
cve/2024/ASIS_AplikasiSistemSekolah_Using_CodeIgniter3-SQL_Injection_Authentication_Bypass.md at main Β· atoz-chevara/cve
Contribute to atoz-chevara/cve development by creating an account on GitHub.
β€1
π¨ CVE-2024-44920
A cross-site scripting (XSS) vulnerability in the component admin_collect_news.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the siteurl parameter.
π@cveNotify
A cross-site scripting (XSS) vulnerability in the component admin_collect_news.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the siteurl parameter.
π@cveNotify
GitHub
nn0nkey/CVE-2024-44920.md at main Β· nn0nkey/nn0nkey
lll. Contribute to nn0nkey/nn0nkey development by creating an account on GitHub.
π¨ CVE-2023-5992
A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.
π@cveNotify
A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.
π@cveNotify
π¨ CVE-2024-45435
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.
π@cveNotify
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function.
π@cveNotify
Gist
Vulnerability Advisory: Prototype Pollution in chartist, versions <= 1.3.0
Vulnerability Advisory: Prototype Pollution in chartist, versions <= 1.3.0 - chartist-js.md
π¨ CVE-2024-44921
SeaCMS v12.9 was discovered to contain a SQL injection vulnerability via the id parameter at /dmplayer/dmku/index.php?ac=del.
π@cveNotify
SeaCMS v12.9 was discovered to contain a SQL injection vulnerability via the id parameter at /dmplayer/dmku/index.php?ac=del.
π@cveNotify
GitHub
nn0nkey/CVE-2024-44921.md at main Β· nn0nkey/nn0nkey
lll. Contribute to nn0nkey/nn0nkey development by creating an account on GitHub.
π¨ CVE-2023-49233
Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level.
π@cveNotify
Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level.
π@cveNotify
Schutzwerk
Advisory: Insufficient Access Controls in Visual Planning
Release of SCHUTZWERK-SA-2023-005 - During a recent assessment, we discovered a critical vulnerability in Visual Planning, which allows a privilege escalation from non-administrative account to administrator level.
π¨ CVE-2024-43412
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
π@cveNotify
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
π@cveNotify
GitHub
Modules: Disable library media preview for generic file (#2706) Β· xibosignage/xibo-cms@d8f1333
Xibo Content Management System. Contribute to xibosignage/xibo-cms development by creating an account on GitHub.
π¨ CVE-2024-33893
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to XSS when displaying the logs due to improper input sanitization. This is fixed in version 21.2s10 and 22.1s3.
π@cveNotify
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to XSS when displaying the logs due to improper input sanitization. This is fixed in version 21.2s10 and 22.1s3.
π@cveNotify
SySS Tech Blog
Hacking a Secure Industrial Remote Access Gateway
In this blog post, we describe the security analysis and the found vulnerabilities in the industrial remote access solution Ewon Cosy+.
π¨ CVE-2024-33895
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 use a unique key to encrypt the configuration parameters. This is fixed in version 21.2s10 and 22.1s3, the key is now unique per device.
π@cveNotify
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 use a unique key to encrypt the configuration parameters. This is fixed in version 21.2s10 and 22.1s3, the key is now unique per device.
π@cveNotify
SySS Tech Blog
Hacking a Secure Industrial Remote Access Gateway
In this blog post, we describe the security analysis and the found vulnerabilities in the industrial remote access solution Ewon Cosy+.
π¨ CVE-2024-33896
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3.
π@cveNotify
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. This is fixed in version 21.2s10 and 22.1s3.
π@cveNotify
SySS Tech Blog
Hacking a Secure Industrial Remote Access Gateway
In this blog post, we describe the security analysis and the found vulnerabilities in the industrial remote access solution Ewon Cosy+.
π¨ CVE-2024-3886
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βenvato_code[]β parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
π@cveNotify
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βenvato_code[]β parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
π@cveNotify
tagDiv
Newspaper Theme Details
Newspaper is a bestselling WordPress theme that lets you write articles and blog posts with ease. We offer great support and friendly help!
π¨ CVE-2023-45284
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.
π@cveNotify
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.
π@cveNotify
π¨ CVE-2023-28134
Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
π@cveNotify
Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
π@cveNotify
π¨ CVE-2023-48058
Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/task/run
π@cveNotify
Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/task/run
π@cveNotify