Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-30784: WordPress Kaya QR Code Generator plugin <= 1.5.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Kaya Studio Kaya QR Code Generator plugin <= 1.5.2 versions.

CVE
Open in Source
#xss#vulnerability#web#wordpress#auth
CVE-2023-30473: WordPress YML for Yandex Market plugin <= 3.10.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov YML for Yandex Market plugin <= 3.10.7 versions.

CVE-2023-30786: WordPress Captcha Them All plugin <= 1.3.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Benjamin Guy Captcha Them All plugin <= 1.3.3 versions.

CVE-2023-30785: WordPress Video Grid plugin <= 1.21 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Video Grid plugin <= 1.21 versions.

CVE-2023-30782: WordPress Church Admin plugin <= 3.7.5 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.5 versions.

GHSA-fr9g-2m2h-c27j: Duplicate Advisory: @excalidraw/excalidraw Cross-site Scripting vulnerability

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v7v8-gjv7-ffmr. This link is maintained to preserve external references. ## Original Description Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

CVE-2023-26140: fix: stronger enforcement of normalizeLink (#6728) · excalidraw/excalidraw@b33fa6d

Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

CVE-2023-39849: GitHub - zhuifengshaonianhanlu/pikachu: 一个好玩的Web安全-漏洞测试平台

Pikachu v1.0 was discovered to contain a SQL injection vulnerability via the $username parameter at \inc\function.php.

GHSA-6xcx-gx7r-rccj: Scancode.io Reflected Cross-Site Scripting (XSS) in license endpoint

### Summary In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. ### Details In the `/license/` endpoint, the `license_details_view` function is vulnerable to a potential cross-site scripting (XSS) attack due to inadequate validation and sanitization of the `key` parameter. This vulnerability arises when attempting to access a key with malicious javascript. ```python def license_details_view(request, key): """ Display all available information about a given license `key` followed by the full license text. """ licenses = get_licenses() try: data = saneyaml.dump(licenses[key].to_dict()) text = licenses[key].text except KeyError: return HttpResponseNotFound(f"License {key} not found.") # Leads to cross-site scripting when key is malicious javascript re...