CVE-2024-29644

CVE-2024-29644 concerns a Cross Site Scripting vulnerability in dcat-admin v2.1.3 and earlier. The issue allows a remote attacker to execute arbitrary code by injecting a crafted script into the user login box. Documents consistently describe this as a client-side script injection affecting the l...

WordPress Plugin WooCommerce Box Office 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

Radamsa - A General-Purpose Fuzzer

Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main...

Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. 1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on...

Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

Description The plugin does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. PoC 1. ADMIN: Install Meta Box 2. ADMIN: Add Meta Box fields through code or the premium add-on...

CVE-2024-1401

The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-1401

CVE-2024-1401 affects Profile Box Shortcode And Widget for WordPress, prior to version 1.2.1. Root cause: settings are not sanitized/escaped, enabling Stored XSS for admin-level users (and higher) even when unfiltered_html is disallowed (e.g., multisite). Impact: Stored XSS could compromise site ...

WordPress Plugin Profile Box Shortcode And Widget Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

OESA-2024-1270 glade security update

Glade is a RAD tool to enable quick and easy development of user interfaces for the GTK+ toolkit and the GNOME desktop environment. Security Fixes: plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial ...

Researchers Highlight Google's Gemini AI Susceptibility to LLM Threats

Google's Gemini large language model LLM is susceptible to security threats that could cause it to divulge system prompts, generate harmful content, and carry out indirect injection attacks. The findings come from HiddenLayer, which said the issues impact consumers using Gemini Advanced with Goog...

Beaver Builder Addons by WPZOOM < 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box Widget

Description The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Top 10 web application vulnerabilities in 2021–2023

To help companies with navigating the world of web application vulnerabilities and securing their own web applications, the Open Web Application Security Project OWASP online community created the OWASP Top Ten. As we followed their rankings, we noticed that the way we ranked major vulnerabilitie...

WordPress Profile Box Shortcode And Widget Plugin < 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Software Profile Box Shortcode And Widget Type Plugin Vulnerable versions 1.2.1 Fixed in 1.2.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-1401 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 08bc30af4a51 Credits Dmitrii...

Security Bulletin: IBM App Connect Enterprise Certified Container flows using Box are vulnerable to loss of confidentiality due to [CVE-2024-24758]

Summary Node.js module undici is used by IBM App Connect Enterprise Certified Container for communicating with Box in the Box connector. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run flows using the Box connector are vulnerable to loss o...

CVE-2024-1408

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to...

Profile Box Shortcode And Widget < 1.2.1 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup When creating a new widget, insert the...

AnythingLLM Cross-Site Scripting Vulnerability

AnythingLLM is a document chatbot that meets business requirements. AnythingLLM suffers from a cross-site scripting vulnerability that originates from injecting cross-site scripting into the chat box...

CMS Made Simple 2.2.19 Cross Site Scripting Vulnerability

Exploit Title: CMS Made Simple Version: 2.2.19 - Stored XSS Exploit Author: tmrswrr Vendor Homepage: https://www.cmsmadesimple.org/ Version: 2.2.19 Tested on: https://www.softaculous.com/demos/CMSMadeSimple 1 log in as admin and go to Content File Manager 2 Write in New directory: place payload "...

SUSE CVE-2020-36774

plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service application crash...

PT-2024-18018 · WordPress · Profilepress

Name of the Vulnerable Software and Affected Versions: ProfilePress plugin for WordPress versions up to, and including, 4.14.4 Description: The issue is related to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode due to insufficient input sanitization and output escapi...