FileBird – WordPress Media Library Folders & File Manager Security Vulnerabilities

CVE-2024-39349

A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the upstream library. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology...

CVE-2024-5730 Pagerank Tools <= 1.1.5 - Reflected XSS

The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5730 Pagerank Tools <= 1.1.5 - Reflected XSS

The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5728 Animated AL List <= 1.0.6 - Reflected XSS

The Animated AL List WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5729 Simple AL Slider <= 1.2.10 - Reflected XSS

The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5728 Animated AL List <= 1.0.6 - Reflected XSS

The Animated AL List WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5729 Simple AL Slider <= 1.2.10 - Reflected XSS

The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5570 Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update...

CVE-2024-5727 Widget4Call <= 1.0.7 - Reflected XSS

The Widget4Call WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5727 Widget4Call <= 1.0.7 - Reflected XSS

The Widget4Call WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5570 Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update...

CVE-2024-6296 Stackable – Page Builder Gutenberg Blocks <= 3.13.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ parameter in all versions up to, and including, 3.13.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-6296 Stackable – Page Builder Gutenberg Blocks <= 3.13.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ parameter in all versions up to, and including, 3.13.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5864 Easy Affiliate Links <= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2024-5864 Easy Affiliate Links <= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset

The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2024-5863 Easy Image Collage <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance

The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above,...

CVE-2024-5863 Easy Image Collage <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance

The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above,...

GHSA-2C7C-3MJ9-8FQH vulnerabilities

Vulnerabilities for packages: kubescape, slsa-verifier, dex, gitsign, istio-pilot-discovery, kyverno, flux-source-controller, aactl, tkn, cloudflared, tekton-pipelines, keda, cilium-envoy, spire-server, falco, vault, fulcio, vexctl, argo-workflows, traefik, cert-manager, external-secrets-operator,....

GHSA-JQ35-85CJ-FJ4P vulnerabilities

Vulnerabilities for packages: up, kubescape, chartmuseum, slsa-verifier, kpt, k3d, loki, aactl, ctop, k3s, bom, tekton-pipelines, falco, goreleaser, prometheus, skaffold, cert-manager, tekton-chains, paranoia,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: consul, kubescape, kube-bench, crossplane, prometheus-nats-exporter, caddy, istio-pilot-discovery, aws-ebs-csi-driver, nodetaint, ollama, flux-source-controller, kaniko, docker, hugo-extended, flux-notification-controller, temporal-ui-server, istio-cni, cloudflared,...

CVE-2024-25620 vulnerabilities

Vulnerabilities for packages: up, kubescape, chartmuseum, k8sgpt, cilium-cli, trivy, istio-operator, flux-source-controller, zot, helm-operator, cert-manager, zarf, flux-helm-controller, eksctl, k9s, helm-push,...

GHSA-7WW5-4WQC-M92C vulnerabilities

Vulnerabilities for packages: up, kubescape, melange, flux-source-controller, kaniko, k3d, ctop, kubevela, tekton-pipelines, flux-helm-controller, newrelic-infrastructure-agent, eksctl, grype, neuvector-agent, skaffold, telegraf, zot, gitness, cert-manager, helm-push, cilium-cli, trivy, helm,...

GHSA-R53H-JV2G-VPX6 vulnerabilities

Vulnerabilities for packages: up, kubescape, chartmuseum, k8sgpt, cilium-cli, trivy, istio-operator, flux-source-controller, zot, helm-operator, cert-manager, zarf, flux-helm-controller, eksctl, k9s, helm-push,...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: consul, nri-mssql, kube-bench, crossplane, mage, caddy, nodetaint, aws-ebs-csi-driver, cue, prometheus-blackbox-exporter, temporal-ui-server, ytt, kor, kuberay-operator, petname, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator, direnv,...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: kubescape, ollama, nodetaint, flux-source-controller, nginx-stable, cue, prometheus-blackbox-exporter, flux-notification-controller, ko, gatekeeper, ingress-nginx-controller, dotnet, newrelic-infrastructure-agent, cilium-envoy, envoy-ratelimit, neuvector-agent,...

CVE-2024-6104 vulnerabilities

Vulnerabilities for packages: consul, external-dns, flux-image-reflector-controller, kubescape, gitsign, ksops, rook, slsa-verifier, kyverno, flux-source-controller, influxd, timestamp-authority, k3d, zarf, loki, flux-notification-controller, aactl, nuclei, tkn, sigstore-scaffolding, skopeo, glab,....

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: consul, nri-mssql, kube-bench, crossplane, mage, caddy, nodetaint, aws-ebs-csi-driver, cue, prometheus-blackbox-exporter, temporal-ui-server, ytt, kor, kuberay-operator, petname, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator, direnv,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: mkcert, kubescape, kube-bench, crossplane, mage, crane, prometheus-nats-exporter, caddy, aws-ebs-csi-driver, newrelic-nri-statsd, flux-source-controller, cue, tfsec, flux-notification-controller, ko, cloudflared, mods, petname, nfs-subdir-external-provisioner, direnv,....

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: mkcert, kubescape, kube-bench, crossplane, mage, crane, prometheus-nats-exporter, caddy, aws-ebs-csi-driver, newrelic-nri-statsd, flux-source-controller, cue, tfsec, flux-notification-controller, ko, cloudflared, mods, petname, nfs-subdir-external-provisioner, direnv,....

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: consul, mkcert, nri-mssql, kube-bench, crossplane, velero-plugin-for-csi, flux-source-controller, gpu-feature-discovery, grpc-health-probe, hivemind, flannel-cni-plugin, nvidia-container-toolkit, neuvector-dbgen, kubernetes, kots, nsc, sigstore-scaffolding, kind,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: consul, mkcert, nri-mssql, kube-bench, crossplane, velero-plugin-for-csi, flux-source-controller, hugo-extended, kor, grpc-health-probe, flannel-cni-plugin, kubernetes, multus-cni, melange, nsc, sigstore-scaffolding, kind, nri-nagios,...

GHSA-V6V8-XJ6M-XWQH vulnerabilities

Vulnerabilities for packages: consul, external-dns, flux-image-reflector-controller, kubescape, gitsign, ksops, rook, slsa-verifier, kyverno, flux-source-controller, influxd, timestamp-authority, k3d, zarf, loki, flux-notification-controller, aactl, nuclei, tkn, sigstore-scaffolding, skopeo, glab,....

CVE-2023-45285 vulnerabilities

Vulnerabilities for packages: cortex, slsa-verifier, hey, mage, influx, nsc, sonobuoy, docker-cli, k3d, prometheus-bind-exporter, metrics-server, aactl, ctop, gitlab-logger, oras, configmap-reload, docker-credential-ecr-login, cni-plugins, grpcurl, nri-discovery-kubernetes, kind, ip-masq-agent,...

CVE-2023-48795 vulnerabilities

Vulnerabilities for packages: consul, kubescape, nri-mssql, crossplane, prometheus-nats-exporter, caddy, istio-pilot-discovery, ollama, flux-source-controller, prometheus-blackbox-exporter, temporal-ui-server, ko, istio-cni, cloudflared, grpc-health-probe, gatekeeper,...

CVE-2024-24557 vulnerabilities

Vulnerabilities for packages: up, flux-image-reflector-controller, kubescape, slsa-verifier, gitsign, kubeflow-katib, crane, istio-pilot-discovery, kyverno, zarf, k9s, loki, aactl, ctop, skopeo, istio-pilot-agent, kubevela, k3s, bom, datadog-agent, tekton-pipelines, guac, flux-helm-controller,...

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: consul, ollama, nodetaint, aws-ebs-csi-driver, flux-source-controller, cue, prometheus-blackbox-exporter, flux-notification-controller, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator, newrelic-infrastructure-agent, dive, metacontroller, wireguard-go,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: consul, nri-mssql, kube-bench, crossplane, mage, caddy, nodetaint, aws-ebs-csi-driver, cue, prometheus-blackbox-exporter, temporal-ui-server, ytt, kor, kuberay-operator, petname, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator, direnv,...

GHSA-M5VV-6R4H-3VJ9 vulnerabilities

Vulnerabilities for packages: up, flux-image-reflector-controller, cortex, external-dns, kubescape, rook, ksops, prometheus-operator, kyverno, sqlpad, flux-source-controller, tempo, timestamp-authority, teleport, zarf, loki, airflow, nuclei, tkn, sigstore-scaffolding, flux, step, tekton-pipelines,....

CVE-2023-45142 vulnerabilities

Vulnerabilities for packages: up, prometheus, calico, thanos, gitlab-kas, kubernetes, caddy, k3s, ipfs, kubevela, gatekeeper, cert-manager, keda,...

GHSA-RCJV-MGP8-QVMR vulnerabilities

Vulnerabilities for packages: up, prometheus, calico, thanos, gitlab-kas, kubernetes, caddy, k3s, ipfs, kubevela, gatekeeper, cert-manager, keda,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: consul, kubescape, kube-bench, crossplane, prometheus-nats-exporter, caddy, istio-pilot-discovery, aws-ebs-csi-driver, nodetaint, ollama, flux-source-controller, kaniko, docker, hugo-extended, flux-notification-controller, temporal-ui-server, istio-cni, cloudflared,...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: up, flux-image-reflector-controller, cortex, external-dns, kubescape, rook, ksops, prometheus-operator, kyverno, sqlpad, flux-source-controller, tempo, timestamp-authority, teleport, zarf, loki, airflow, nuclei, tkn, sigstore-scaffolding, flux, step, tekton-pipelines,....

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: consul, nri-mssql, kube-bench, crossplane, mage, caddy, nodetaint, aws-ebs-csi-driver, cue, prometheus-blackbox-exporter, temporal-ui-server, ytt, kor, kuberay-operator, petname, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator, direnv,...

CVE-2024-26147 vulnerabilities

Vulnerabilities for packages: up, kubescape, chartmuseum, k8sgpt, cilium-cli, trivy, istio-operator, flux-source-controller, zot, helm-operator, cert-manager, zarf, flux-helm-controller, eksctl, k9s, helm-push,...

GHSA-2JWV-JMQ4-4J3R vulnerabilities

Vulnerabilities for packages: mkcert, kubescape, kube-bench, crossplane, mage, crane, prometheus-nats-exporter, caddy, aws-ebs-csi-driver, newrelic-nri-statsd, flux-source-controller, cue, tfsec, flux-notification-controller, ko, cloudflared, mods, petname, nfs-subdir-external-provisioner, direnv,....

CVE-2024-24790 vulnerabilities

Vulnerabilities for packages: consul, mkcert, nri-mssql, kube-bench, crossplane, velero-plugin-for-csi, flux-source-controller, gpu-feature-discovery, grpc-health-probe, hivemind, flannel-cni-plugin, nvidia-container-toolkit, neuvector-dbgen, kubernetes, kots, nsc, sigstore-scaffolding, kind,...

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: consul, kubescape, caddy, istio-pilot-discovery, aws-ebs-csi-driver, nodetaint, ollama, flux-source-controller, cue, prometheus-blackbox-exporter, flux-notification-controller, istio-cni, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator,...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: consul, nri-mssql, kube-bench, crossplane, mage, caddy, nodetaint, aws-ebs-csi-driver, cue, prometheus-blackbox-exporter, temporal-ui-server, ytt, kor, kuberay-operator, petname, gatekeeper, nfs-subdir-external-provisioner, k8sgpt-operator, direnv,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: consul, mkcert, nri-mssql, kube-bench, crossplane, velero-plugin-for-csi, flux-source-controller, hugo-extended, kor, grpc-health-probe, flannel-cni-plugin, kubernetes, multus-cni, melange, nsc, sigstore-scaffolding, kind, nri-nagios,...

GHSA-C5Q2-7R4C-MV6G vulnerabilities

Vulnerabilities for packages: rook, dex, gitsign, slsa-verifier, melange, istio-pilot-discovery, flux-source-controller, timestamp-authority, zarf, aactl, ko, apko, istio-cni, cloudflared, sigstore-scaffolding, skopeo, tkn, istio-pilot-agent, step, grpc-health-probe, tekton-pipelines, guac, keda,.....