GO-2022-0425 Weak encryption and denial of service in github.com/flynn/noise

The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 18.4 quintillion messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to b...

GHSA-G9MP-8G3H-3C5C flynn/noise has improper nonce handling yielding potential state DoS

The Go package github.com/flynn/noise, a Noise Protocol implementation, has two bugs in nonce handling in versions prior to v1.0.0. Issue 1: Potential nonce overflow If 264 18.4 quintillion or more messages are encrypted with Encrypt after handshaking, the nonce counter will wrap around, causing...

flynn/noise has improper nonce handling yielding potential state DoS

The Go package github.com/flynn/noise, a Noise Protocol implementation, has two bugs in nonce handling in versions prior to v1.0.0. Issue 1: Potential nonce overflow If 264 18.4 quintillion or more messages are encrypted with Encrypt after handshaking, the nonce counter will wrap around, causing...

PT-2022-11591 · Noise · Noise

Name of the Vulnerable Software and Affected Versions: github.com/flynn/noise versions prior to v1.0.0 Description: The Noise protocol implementation has weakened cryptographic security after encrypting 2^64 messages and is vulnerable to a potential denial of service attack. After 2^64 messages a...

CVE-2021-25103

The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the urladdon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires...

AdRotate < 5.8.22 - Admin+ SQL Injection

The plugin does not sanitise and escape the adrotateaction before using it in a SQL statement via the adrotaterequestaction function available to admins, leading to a SQL injection Get the nonce from one of the bulk action, for example /wp-admin/admin.php?page=adrotate and look for adrotatenonce ...

Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 Reusing a Nonce, Key Pair in Encryption (CVE-2017-7902)

A Reusing a Nonce, Key Pair in Encryption issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A an...

CVE-2021-24761

The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server...

CVE-2021-24761

The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server...

Type confusion

The checkprivacysettings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web...

PT-2022-9457 · WordPress · Error Log Viewer

Name of the Vulnerable Software and Affected Versions: Error Log Viewer WordPress plugin versions prior to 1.1.2 Description: The issue concerns a lack of nonce check when deleting a log file and the absence of path traversal prevention. This could allow attackers to make a logged-in admin delete...

MasterStudy LMS < 2.7.6 - Unauthenticated Admin Account Creation

The plugin does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin PoC The nonce value of the stmlmsregister request must be retrieved from the ajax page. for this you should check the home page POST...

Asgaros Forum < 2.0.0 - Subscriber+ Blind SQL Injection

The plugin does not sanitise and escape the postid parameter before using it in a SQL statement via a REST route of the plugin accessible to any authenticated user, leading to a SQL injection As any authenticated user, such as subscriber To get the nonce: /wp-admin/admin-ajax.php?action=rest-nonc...

WordPress Simple Download Monitor plugin cross-site request forgery vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to Wordpress Plugin Simple Download Monitor 3.9.9, which...

AdSanity < 1.8.2 - Contributor Arbitrary File Upload

The plugin does not have authorisation check in its adsanityhtml5upload, relying on a CSRF check for it. However, the nonce is available to any authenticated with a role as low contributor, allowing them to call it. Furthermore, due to the lack of validation of the upload file, it could allow the...

CVE-2021-24696

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1 make admins export logs to exploit a separate log disclosure vulnerability fixed in 3.9.6, 2 delete logs fixed in 3.9.9, 3 remove thumbnail image from...

CVE-2021-24696 Simple Download Monitor < 3.9.9 - Multiple CSRF

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1 make admins export logs to exploit a separate log disclosure vulnerability fixed in 3.9.6, 2 delete logs fixed in 3.9.9, 3 remove thumbnail image from...

WordPress plugin 跨站请求伪造漏洞

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to Wordpress Plugin Simple Download Monitor 3.9.9, which...

Database Backup for WordPress < 2.5.1 - Admin+ SQL Injection

The plugin does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue https://example.com/wp-admin/?fragment=select%20updatexml1,concat0x7e,select%20user,0::2.txt&wpnonce=7347278aca The nonce can be...

WordPress Crisp Live Chat plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress Crisp Live Chat plugin, which stems from a...