91 matches found
EUVD-2021-21308
Malware in sbrugna...
EUVD-2022-34474
Malicious code in bioql PyPI...
CVE-2024-6020
The Sign-up Sheets WordPress plugin before 2.2.13 does not escape some generated URLs, as well as the $SERVER'REQUESTURI' parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting...
CVE-2024-9835 RSS Feed Widget < 3.0.1 - Reflected XSS
The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-8056
The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-8056 MM-Breaking News <= 0.7.9 - Reflected XSS
The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-6018 Music Request Manager <= 1.3 - Reflected XSS
The Music Request Manager WordPress plugin through 1.3 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-6018 Music Request Manager <= 1.3 - Reflected XSS
The Music Request Manager WordPress plugin through 1.3 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-6020 Sign-up Sheets < 2.2.13 - Reflected XSS
The Sign-up Sheets WordPress plugin before 2.2.13 does not escape some generated URLs, as well as the $SERVER'REQUESTURI' parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting...
CVE-2024-6072 WP eStore < 8.5.5 - Reflected XSS via $_SERVER['REQUEST_URI']
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-6072 WP eStore < 8.5.5 - Reflected XSS via $_SERVER['REQUEST_URI']
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-6072
CVE-2024-6072 affects the WordPress plugin wp-cart-for-digital-products up to version 8.5.4, where $_SERVER['REQUEST_URI'] is not escaped when echoed into an attribute, enabling Reflected XSS in older browsers. Remediation: upgrade to version 8.5.5 or later (the fix). Connected Red Hat and Patchs...
CVE-2024-5744 WP eMember < 10.6.7 - Reflected XSS
The wp-eMember WordPress plugin before 10.6.7 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2024-5713 if-so < 1.8.0.4 - Reflected XSS
The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.4 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
GHSA-R2WX-46GP-RP3H Moodle Improper Input Validation
Unsafe direct use of $SERVER'HTTPREFERER' in admin/tool/mfa/index.php. The referrer URL used by MFA required additional sanitizing, rather than being used directly...
CVE-2024-33999 moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php
The referrer URL used by MFA required additional sanitizing, rather than being used directly...
GHSA-5F5V-5C3V-GW5V Silverstripe IE requests not properly behaving with rewritehashlinks
Non IE browsers don’t appear to be affected, but I haven’t tested a wide range of browsers to be sure Requests that come through from IE do NOT appear to encode all entities in the URL string, meaning they are inserted into output content directly by SSViewer::process when rewriting hashlinks, as...
Cross site scripting
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
CVE-2023-0937 VK All in One Expansion Unit < 9.87.1.0 - Reflected XSS
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...
Cross-Site Scripting (XSS)
mos/cimage is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape the user input before it output to the front end, allowing an attacker to inject and execute malicious JavaScript on victim's browser via the argument $SERVER'SERVERSOFTWARE' in the file...