Enable SVG, WebP & ICO Upload Security Vulnerabilities
CVE-2024-5383 lakernote EasyAdmin upload cross site scripting
A vulnerability classified as problematic has been found in lakernote EasyAdmin up to 20240324. This affects an unknown part of the file /sys/file/upload. The manipulation of the argument file leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been...
3.5CVSS
6.2AI Score
0.0004EPSS
A vulnerability was found in SourceCodester Vehicle Management System 1.0. It has been classified as critical. This affects an unknown part of the file /newvehicle.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit...
7.3CVSS
6.8AI Score
0.0004EPSS
A vulnerability was found in SourceCodester Vehicle Management System 1.0. It has been classified as critical. This affects an unknown part of the file /newvehicle.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit...
7.3CVSS
7.2AI Score
0.0004EPSS
CVE-2024-5377 SourceCodester Vehicle Management System newvehicle.php unrestricted upload
A vulnerability was found in SourceCodester Vehicle Management System 1.0. It has been classified as critical. This affects an unknown part of the file /newvehicle.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit...
7.3CVSS
7.2AI Score
0.0004EPSS
CVE-2024-5377 SourceCodester Vehicle Management System newvehicle.php unrestricted upload
A vulnerability was found in SourceCodester Vehicle Management System 1.0. It has been classified as critical. This affects an unknown part of the file /newvehicle.php. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit...
7.3CVSS
6.9AI Score
0.0004EPSS
7.5CVSS
6.5AI Score
0.013EPSS
Updated roundcubemail packages fix security vulnerabilities
This is a security update to the stable version 1.6 of Roundcube Webmail. Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes. Reported by Valentin T. and Lutz Wolf of CrowdStrike. Fix cross-site scripting (XSS) vulnerability in handling list columns from user...
6.8AI Score
[SECURITY] Fedora 40 Update: loupe-46.2-2.fc40
An image viewer application written with GTK 4, Libadwaita and Rust. Features: - Fast GPU accelerated image rendering with tiled rendering for SVGs - Extendable and sandboxed (expect SVG) image decoding - Support for more than 15 image formats by default - Extensive support for touchpad and...
7.4AI Score
The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
6.4CVSS
5.8AI Score
0.0004EPSS
The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
6.4CVSS
6AI Score
0.0004EPSS
Wordpress Hash Form – Drag & Drop Form Builder <= 1.1.0 -...
9.8CVSS
8.5AI Score
0.035EPSS
The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
6.4CVSS
5.8AI Score
0.0004EPSS
The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
6.4CVSS
6AI Score
0.0004EPSS
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and....
6.4CVSS
5.8AI Score
0.001EPSS
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and....
6.4CVSS
6AI Score
0.001EPSS
CVE-2024-5220 ND Shortcodes <= 7.5 - Authenticated (Author+) Stored Cross-Site Scripting
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and....
6.4CVSS
6AI Score
0.001EPSS
CVE-2024-5220 ND Shortcodes <= 7.5 - Authenticated (Author+) Stored Cross-Site Scripting
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and....
6.4CVSS
5.9AI Score
0.001EPSS
An issue was discovered in Vaultize 21.07.27. When uploading files, there is no check that the filename parameter is correct. As a result, a temporary file will be created outside the specified directory when the file is downloaded. To exploit this, an authenticated user would upload a file with...
7AI Score
EPSS
An issue was discovered in Vaultize 21.07.27. When uploading files, there is no check that the filename parameter is correct. As a result, a temporary file will be created outside the specified directory when the file is downloaded. To exploit this, an authenticated user would upload a file with...
6.4AI Score
EPSS
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version...
3.7CVSS
4.1AI Score
0.0004EPSS
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version...
3.7CVSS
6.6AI Score
0.0004EPSS
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version...
3.7CVSS
6.5AI Score
0.0004EPSS
CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version...
3.7CVSS
4AI Score
0.0004EPSS
CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version...
3.7CVSS
6.8AI Score
0.0004EPSS
Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities
Summary IBM Security Guardium has addressed these vulnerabilities with updates. Vulnerability Details ** CVEID: CVE-2023-34054 DESCRIPTION: **VMware Tanzu Reactor Netty is vulnerable to a denial of service, caused by a flaw when built-in integration with Micrometer is enabled. By sending...
9.1CVSS
10AI Score
0.015EPSS
An arbitrary file upload vulnerability in the File preview function of Raingad IM v4.1.4 allows attackers to execute arbitrary code via uploading a crafted PDF...
8.1AI Score
EPSS
An arbitrary file upload vulnerability in O2OA v8.3.8 allows attackers to execute arbitrary code via uploading a crafted PDF...
7.4AI Score
EPSS
An arbitrary file upload vulnerability in the File Preview function of Xintongda OA v2023.12.30.1 allows attackers to execute arbitrary code via uploading a crafted PDF...
7.4AI Score
EPSS
An arbitrary file upload vulnerability in the Upload function of Box-IM v2.0 allows attackers to execute arbitrary code via uploading a crafted PDF...
8.1AI Score
EPSS
An arbitrary file upload vulnerability in the Upload function of Box-IM v2.0 allows attackers to execute arbitrary code via uploading a crafted PDF...
7.4AI Score
EPSS
An arbitrary file upload vulnerability in the File preview function of Raingad IM v4.1.4 allows attackers to execute arbitrary code via uploading a crafted PDF...
7.4AI Score
EPSS
An arbitrary file upload vulnerability in the File Preview function of Xintongda OA v2023.12.30.1 allows attackers to execute arbitrary code via uploading a crafted PDF...
8.1AI Score
EPSS
An arbitrary file upload vulnerability in O2OA v8.3.8 allows attackers to execute arbitrary code via uploading a crafted PDF...
7.7AI Score
EPSS
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled...
9.6CVSS
4.9AI Score
0.0004EPSS
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author...
6.4CVSS
6AI Score
0.0004EPSS
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author...
6.4CVSS
7.7AI Score
0.0004EPSS
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author...
6.4CVSS
6AI Score
0.0004EPSS
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper.....
8.8CVSS
7.5AI Score
0.0005EPSS
openSUSE: Security Advisory for python (SUSE-SU-2024:1673-1)
The remote host is missing an update for...
9.8CVSS
7.4AI Score
0.007EPSS
bind-dyndb-ldap [11.6-4] - Modify empty zone conflicts under exclusive mode Resolves: rhbz#2126877 [11.6-3] - Rebuild against bind 9.11.36 - Resolves: rhbz#2022762 [11.6-2] - Rebuild against bind 9.11.26 - Resolves: rhbz#1904612 [11.6-1] - New upstream release - Resolves: rhbz#1891735 [11.3-1] -...
5.3CVSS
7.6AI Score
0.0004EPSS
SVGator <= 1.2.6 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. PoC 1. Create a SVG file with the malicious payload within it; Example SVG file:...
5.5AI Score
0.0004EPSS
SVGMagic <= 1.1 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS...
5.8AI Score
0.0004EPSS
ND Shortcodes < 7.6 - Authenticated (Author+) Stored Cross-Site Scripting
Description The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
6.4CVSS
5.9AI Score
0.001EPSS
LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC Request: POST...
5.5AI Score
0.0004EPSS
SVGator <= 1.2.6 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS...
5.8AI Score
0.0004EPSS
LuckyWP Table of Contents <= 2.1.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.6AI Score
0.0004EPSS
python39:3.9 and python39-devel:3.9 security update
mod_wsgi [4.7.1-7] - Bump release for rebuild Resolves: rhbz#2213595 [4.7.1-6] - Remove rpath Resolves: rhbz#2213837 [4.7.1-5] - Core dumped upon file upload >= 1GB Resolves: rhbz#2125172 [4.7.1-4] - Convert from Fedora to the python39 module in RHEL8 - Resolves: rhbz#1877430 [4.7.1-3] - Rebuilt...
8.1CVSS
6.7AI Score
0.005EPSS
Reviews and Rating – Google Reviews < 5.3 - Authenticated (Author+) Stored Cross-Site Scripting
Description The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated.....
6.4CVSS
5.8AI Score
0.0004EPSS
SVGMagic <= 1.1 - Stored XSS via SVG Upload
Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. PoC 1. Create a SVG file with the malicious payload within it; Example SVG file:...
5.5AI Score
0.0004EPSS
Custom Fonts – Host Your Fonts Locally < 2.1.5 - Author+ Stored XSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via svg file upload due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a....
6.4CVSS
5.8AI Score
0.0004EPSS