WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 Security Vulnerabilities
CVE-2021-24572 Paypal Donation < 1.3.1 - CSRF to Arbitrary Post Deletion
The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could.....
5AI Score
0.001EPSS
CVE-2021-24570 Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of...
4.6AI Score
0.001EPSS
Exploit for Improper Input Validation in Gitlab
CVE-2021-22205-getshell CVE-2021-22205-getshell 测试版本...
10CVSS
1.2AI Score
0.975EPSS
Exploit for Code Injection in Gitlab
CVE-2021-22205 CVE-2021-22205 RCE 工具仅用于分享交流,切勿用于非授权测试,否则与作者无关...
10CVSS
0.5AI Score
0.975EPSS
Exploit for Code Injection in Gitlab
0x01 前言 ⚠️声明:本项目仅供学习和交流使用,请勿用于非法未授权测试! 更新记录 11.2...
10CVSS
-0.3AI Score
0.975EPSS
10CVSS
1.1AI Score
0.975EPSS
Heartland OA 2021 Autumn Real Edition has a file upload vulnerability (CNVD-2021-88667)
HeartTone OA is an oa office tool equipped with AI artificial intelligence. Heart to OA 2021 Autumn real version there is a file upload vulnerability, attackers can use the vulnerability to gain control of the...
3.4AI Score
Exploit for Code Injection in Gitlab
CVE-2021-22205 影响版本: * Gitlab CE/EE < 13.10.3 * Gitlab...
10CVSS
0.1AI Score
0.975EPSS
Heartland OA 2021 Autumn Real Edition has a file upload vulnerability (CNVD-2021-86865)
HeartTone OA is a multifunctional intelligent office application. Heart to Heart OA 2021 Autumn Real Edition has a file upload vulnerability, which can be exploited by attackers to gain control of the...
3.3AI Score
Heartland OA 2021 Autumn Real Edition has a file upload vulnerability (CNVD-2021-88620)
HeartTone OA is a versatile and intelligent office application. Heart to Heart OA 2021 Autumn Real Edition has a file upload vulnerability, which can be exploited by attackers to gain control of the...
3.3AI Score
Heartland OA 2021 Autumn Real Edition has a file upload vulnerability (CNVD-2021-88619)
HeartTone OA is an oa office tool equipped with AI artificial intelligence. Heart to OA 2021 Autumn real version there is a file upload vulnerability, attackers can use the vulnerability to gain control of the...
3.4AI Score
Teen Rakes in $2.74M Worth of Bitcoin in Phishing Scam
During the early days of the pandemic, while the rest of the world was stress streaming and working on sourdough starter, an ambitious teen stuck in his bedroom decided to set up a fake “Love2Shop” gift card site to harvest people’s payment information, invest the stolen money in cryptocurrency...
-0.8AI Score
Exploit for Path Traversal in Vmware Cloud Foundation
CVE-2021-22005 VMware vCenter Server任意文件上传漏洞 Code...
9.8CVSS
8.9AI Score
0.974EPSS
Exploit for Expression Language Injection in Atlassian Confluence Data Center
CVE-2021-26084 CVE-2021-26084,Atlassian Confluence OGNL注入漏洞...
9.8CVSS
8.8AI Score
0.974EPSS
Exploit for Deserialization of Untrusted Data in Solarwinds Orion Platform
CVE-2021-35215 SolarWinds Orion Platform ActionPluginBaseView...
8.9CVSS
8.9AI Score
0.121EPSS
SRC-2021-0029 : Dedecms GetCookie Type Juggling Authentication Bypass Vulnerability
Vulnerability Details: This vulnerability allows remote attackers to bypass authentication on affected installations of Dedecms. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GetCookie function. The issue results from a loose comparison check...
0.1AI Score
Exploit for Path Traversal in Spring-Boot-Actuator-Logview Project Spring-Boot-Actuator-Logview
CVE-2021-21234 CVE-2021-21234 Spring Boot 目录遍历...
7.7CVSS
7.7AI Score
0.964EPSS
Exploit for Server-Side Request Forgery in Apache Http Server
CVE-2021-40438 请求 uri-path 可以导致 mod_proxy...
9CVSS
9.6AI Score
0.971EPSS
Stored Cross-Site Scripting (XSS) vulnerability discovered by dc11 in WordPress Accept Donations with PayPal plugin (versions <= 1.3.1). Solution Update the WordPress Accept Donations with PayPal plugin to the latest available version (at least...
2.2AI Score
Stored Cross-Site Scripting (XSS) vulnerability discovered by dc11 in WordPress Accept Donations with PayPal plugin (versions <= 1.3.1). Solution Update the WordPress Accept Donations with PayPal plugin to the latest available version (at least...
4.8CVSS
2.2AI Score
0.001EPSS
Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. PoC Create/Edit a Button and put the following payload in the Amount Menu Name field...
4.8CVSS
2AI Score
0.001EPSS
Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is...
4.8CVSS
0.1AI Score
0.001EPSS
description Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Mrdoc allows an attacker to reset arbitrary user‘s password 1、/admin/send_email_vcode/,check email & generate email & send mail def send_email_vcode(request): if request.method == 'POST': email =...
AI Score
Description When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. # Proof of Concept https://github.com/zmister2016/MrDoc/blob/master/app_admin/views.py#L985 ``` 普通用户修改密码 @login_required() @logger.catch()...
-0.3AI Score
Exploit for Vulnerability in D-Link Dcs-2530L Firmware
CVE-2020-25078 使用说明 instructions 攻击url放同一目录下 ip.txt The...
7.5CVSS
7.5AI Score
0.825EPSS
Exploit for Path Traversal in Apache Http Server
apache httpd path traversal checker 0x00 概述...
9.3AI Score
Verizon’s Visible Wireless Carrier Confirms Credential-Stuffing Attack
On Wednesday, Verizon’s Visible – an all-digital, uber-cheap wireless carrier – confirmed what customers have been complaining about on Reddit and Twitter all week: They lost control of their accounts; had their passwords and shipping addresses changed; and some got stuck with bills for pricey new....
-0.5AI Score
Exploit for Incorrect Authorization in Apache Druid
CVE-2021-36749 Apache Druid 任意文件读取 受影响版本:version <= 0.21.1...
6.5CVSS
7AI Score
0.76EPSS
Exploit for Improper Authentication in Dahuasecurity Ipc-Hum7Xxx Firmware
cve-2021-33045 通过修改浏览器发往/RPC2_Login的数据包登录摄像头的网页。...
9.8CVSS
9.4AI Score
0.051EPSS
Multiple Plugins from WPPlugin - Reflected Cross-Site Scripting via page Parameter
The plugins do not escape a page parameter before outputting it back in an attribute in various admin pages, leading to Reflected Cross-Site Scripting issues. The issues were reported to the vendor on August 10th, 2021 PoC Example in...
2.1AI Score
Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress Accept Donations with PayPal plugin (versions <= 1.3). Solution Update the WordPress Accept Donations with PayPal plugin to the latest available version (at least...
2.7AI Score
Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress Subscriptions & Memberships for PayPal plugin (versions <= 1.1.2). Solution Update the WordPress Subscriptions & Memberships for PayPal plugin to the latest available version (at least...
1.8AI Score
WordPress Easy PayPal Events plugin <= 1.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress Easy PayPal Events plugin (versions <= 1.1.1). Solution Update the WordPress Easy PayPal Events plugin to the latest available version (at least...
2.1AI Score
Multiple Plugins from WPPlugin - Reflected Cross-Site Scripting via page Parameter
The plugins do not escape a page parameter before outputting it back in an attribute in various admin pages, leading to Reflected Cross-Site Scripting issues. The issues were reported to the vendor on August 10th,...
0.5AI Score
Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞
Apache HTTPd是Apache基金会开源的一款流行的HTTP服务器。 2021年10月8日Apache HTTPd官方发布安全更新,披露了CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞。由于对CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞的修复不完善,攻击者可构造恶意请求绕过布丁,利用穿越漏洞读取到Web目录之外的其他文件。同时若Apache HTTPd开启了cgi支持,攻击者可构造恶意请求执行命令,控制服务器。阿里云应急响应中心提醒 Apache HTTPd 用户尽快采取安全措施阻止漏洞攻击。.....
9.8CVSS
0.4AI Score
0.975EPSS
Exploit for Path Traversal in Apache Http Server
用于检测/利用Apache 2.4.49与2.4.50上的目录穿越/命令执行漏洞 使用:...
7.5CVSS
8.2AI Score
0.975EPSS
Exploit for Path Traversal in Apache Http Server
cve-2021-41773 and cve-2021-42013 cve-2021-41773 和...
9.8CVSS
9.2AI Score
0.975EPSS
Exploit for Path Traversal in Apache Http Server
CVE-2021-41773_CVE-2021-42013 CVE-2021-41773...
9.8CVSS
9.2AI Score
0.975EPSS
WordPress插件Modern Events Calendar Lite跨站脚本漏洞
WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL.The WordPress plugin Modern Events Calendar Lite has a cross-site scripting vulnerability that stems from....
2.3AI Score
0.1AI Score
7.4AI Score
0.3AI Score
Navy Warship's Facebook Page Hacked to Stream 'Age of Empires' Gaming
The official Facebook page of a destroyer-class Navy warship, the USS Kidd, has gone rogue: Someone has taken over the page in order to…stream Age of Empires play. Age of Empires is a real-time online multiplayer strategy game in which the objective is to advance one’s civilization. Players...
AI Score
Twitch Leak Included Emails, Password: Researcher
Twitch users, if you haven’t changed your password yet, go. Now. Do it. 101321 08:45 UPDATE: Your email and password may already have been leaked – unhashed and unencrypted, though it’s not known if the one Twitch set of Twitch credentials are from an internally or externally facing database....
-0.8AI Score
Impact URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to access for anyone, not even the order's customer. The problem was, the Credit card form has prefilled "credit card holder" field with the Customer's...
7.5CVSS
0.7AI Score
0.002EPSS
Impact URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to access for anyone, not even the order's customer. The problem was, the Credit card form has prefilled "credit card holder" field with the Customer's...
7.5CVSS
0.7AI Score
0.002EPSS
7.5CVSS
8AI Score
0.975EPSS
sylius/paypalplugin is vulnerable to information disclosure. An attacker is able to predict the URL to the payment done page, after checkout due to the use of autoincremented payment id in page creation.Prefilled credit card form shows customer's first and last name resulting in sensitive...
7.5CVSS
3.2AI Score
0.002EPSS
AI Score
High Infinity Technology HiKam S6 1.3.26 Spoofing / Broken Authentication Vulnerability
High Infinity Technology HiKam S6 versions 1.3.26 and below suffer from broken authentication, enumeration, message protocol downgrade, insufficient use of cryptography, insufficient message protocol checks, device spoofing, outdated components, and weak default credential vulnerabilities. suffers....
0.5AI Score