Tag
#xss
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAuthenticator OWA Agent for Microsoft version 2.2 and 2.1 may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
### Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: ```html <label> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and calling: ```js $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); ``` will turn the initial HTML into: ```html <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and the alert will get executed. ### Patches The bug has been patched in jQuery UI 1.13.2. ### Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`...
Chain of exploits could be triggered without any authentication
An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.
An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username.