#xss

CVE-2022-3909

The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

2 years ago

The Advanced WP Columns WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

2 years ago

CVE

Open in Source

#xss #wordpress

Drupal H5P Module 2.0.0 Zip Slip Traversal

Drupal H5P Module versions 2.0.0 and below suffer from a traversal vulnerability when handling a zipped filename on windows.

2 years ago

Packet Storm

Open in Source

#xss #vulnerability #windows

CVE-2022-45824: WordPress Advanced Booking Calendar plugin <= 1.7.1 - Multiple Cross-Site Scripting (CSRF) vulnerabilities - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

2 years ago

CVE

Open in Source

#xss #csrf #vulnerability #wordpress #auth

CVE-2022-43504: WordPress 6.0.3 Security Release

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature.

2 years ago

CVE

Open in Source

#sql #xss #csrf #vulnerability #wordpress #php #auth

CVE-2022-43499: JVN#86350682: Multiple vulnerabilities in SHIRASAGI

Stored cross-site scripting vulnerability in SHIRASAGI versions prior to v1.16.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #auth

CVE-2022-43487: Salon Booking System

Cross-site scripting vulnerability in Salon booking system versions prior to 7.9 allows a remote unauthenticated attacker to inject an arbitrary script.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #google #wordpress #auth

CVE-2022-41830: 京セラ製複合機・プリンターのセキュリティー脆弱性について | 京セラドキュメントソリューションズ

Stored cross-site scripting vulnerability in Kyocera Document Solutions MFPs and printers allows a remote authenticated attacker with an administrative privilege to inject arbitrary script. Affected products/versions are as follows: TASKalfa 7550ci/6550ci, TASKalfa 5550ci/4550ci/3550ci/3050ci, TASKalfa 255c/205c, TASKalfa 256ci/206ci, ECOSYS M6526cdn/M6526cidn, FS-C2126MFP/C2126MFP+/C2026MFP/C2026MFP+, TASKalfa 8000i/6500i, TASKalfa 5500i/4500i/3500i, TASKalfa 305/255, TASKalfa 306i/256i, LS-3140MFP/3140MFP+/3640MFP, ECOSYS M2535dn, LS-1135MFP/1035MFP, LS-C8650DN/C8600DN, ECOSYS P6026cdn, FS-C5250DN, LS-4300DN/4200DN/2100DN, ECOSYS P4040dn, ECOSYS P2135dn, and FS-1370DN.

2 years ago

CVE

Open in Source

#xss #vulnerability #java #auth #ssl

CVE-2022-40968: WordPress 2kb Amazon Affiliates Store plugin <= 2.1.5 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in 2kb Amazon Affiliates Store plugin <=2.1.5 on WordPress.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #amazon #wordpress #auth

CVE-2022-46391: fix cross site scripting by rekter0 · Pull Request #226 · eldy/AWStats

AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.