SUSE CVE-2022-28286

Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird 91.8, Firefox 99, and Firefox ESR 91.8...

eVision Responsive Column Layout Shortcodes <= 2.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC bscolumns class='" onmouseover="alert1"...

eVision Responsive Column Layout Shortcodes <= 2.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. bscolumns class='" onmouseover="alert1"...

MobileDetect 跨站脚本漏洞

MobileDetect is a PHP class for detecting mobile devices. A cross-site scripting vulnerability exists in MobileDetect version 2.8.31, which stems from a problem with the initLayoutType function in the file examples/sessionexample.php in the component Example, which can lead to cross-site scriptin...

PT-2023-10821 · Unknown · Mobiledetect

Name of the Vulnerable Software and Affected Versions: MobileDetect version 2.8.31 Description: A problematic issue has been found in MobileDetect, affecting the initLayoutType function of the examples/session example.php file in the Example component. The manipulation of the argument $ SERVER'PH...

Remote Code Execution (RCE)

openmage/magento-lts is vulnerable to Remote Code Execution RCE. The vulnerability exists due to the lack of validation in the $this, $callback, and $alias parameters in the getChildGroup function of Abstract.php, allowing an attacker to bypass the block blacklist and inject and execute malicious...

Arbitrary Command Execution

openmage/magento-lts is vulnerable to Arbitrary Command Execution. The vulnerability is due to the validateAgainstBlockMethodBlacklist function in Security.php which doesn't prevent custom layout enabled admin users from executing malicious commands via block methods...

CVE-2021-41144

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue...

Design/Logic Flaw

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue...

CVE-2021-41144 OpenMage LTS authenticated remote code execution through layout update

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue...

CVE-2021-41144 OpenMage LTS authenticated remote code execution through layout update

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue...

CVE-2021-39217 OpenMage LTS arbitrary command execution in custom layout update through blocks

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue...

CVE-2021-39217

OpenMage LTS (Magento-LTS) is affected in versions prior to 19.4.22 and 20.0.19, where Custom Layout allowed an admin to execute arbitrary commands via block methods. The issue stems from how Custom Layout updates can invoke block methods, enabling command execution. Patches exist in 19.4.22 and ...

CVE-2021-39217 OpenMage LTS arbitrary command execution in custom layout update through blocks

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue...

Fix for authenticated remote code execution through layout update

Impact A layout block was able to bypass the block blacklist to execute remote code...

GHSA-5J2G-3PH4-RGVM Fix for authenticated remote code execution through layout update

Impact A layout block was able to bypass the block blacklist to execute remote code...

Fix for arbitrary command execution in custom layout update through blocks

Impact Custom Layout enabled admin users to execute arbitrary commands via block methods...

GHSA-C9Q3-R4RV-MJM7 Fix for arbitrary command execution in custom layout update through blocks

Impact Custom Layout enabled admin users to execute arbitrary commands via block methods...

WordPress eVision Responsive Column Layout Shortcodes Plugin <= 2.3 is vulnerable to Cross Site Scripting (XSS)

Software eVision Responsive Column Layout Shortcodes Type Plugin Vulnerable versions = 2.3 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE N/A Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 18ded12f9366 Credits...

PT-2023-12348 · Unknown · Openmage Lts

Name of the Vulnerable Software and Affected Versions: OpenMage LTS versions prior to 19.4.22 OpenMage LTS versions prior to 20.0.19 Description: The issue allows admin users to execute arbitrary commands via block methods in the Custom Layout feature. This is a significant problem as it can lead...