Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-1764

The WP-chgFontSize WordPress plugin through 1.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

CVE
#xss#csrf#wordpress
CVE-2022-1763

Due to missing checks the Static Page eXtended WordPress plugin through 2.1 is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings

CVE-2022-1759

The RB Internal Links WordPress plugin through 2.0.16 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping

CVE-2022-1758

The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings.

CVE-2022-1756

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

CVE-2022-2065: Force to download SVG files to prevent security problems. · NeoRazorX/facturascripts@1d1edb4

Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06.

CVE-2022-2066: Sanitized username when showing user not found message. · NeoRazorX/facturascripts@73a6595

Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06.

Serious vulnerabilities found in ITarian software, patches available for SaaS products

Researchers at DIVD found vulnerabilities in ITarian products and worked with the vendor to develop patches. These patches are now available. The post Serious vulnerabilities found in ITarian software, patches available for SaaS products appeared first on Malwarebytes Labs.

CVE-2022-2060: Merge branch 'develop' of [email protected]:Dolibarr/dolibarr.git into d… · Dolibarr/dolibarr@2b5b995

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

CVE-2017-20044

A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to basic cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component.