China-Linked TAG-112 Targets Tibetan Media with Cobalt Strike Espionage Campaign

A China-linked nation-state group called TAG-112 compromised Tibetan media and university websites in a new cyber espionage campaign designed to facilitate the delivery of the Cobalt Strike post-exploitation toolkit for follow-on information collection. "The attackers embedded malicious JavaScrip...

Zimbra Collaboration Server 跨站脚本漏洞

Zimbra Collaboration Server ZCS is an email and collaboration solution from Zimbra. The solution provides email, contacts, calendar, file sharing, social networking, and other features. A cross-site scripting vulnerability exists in Zimbra Collaboration Server versions 9.0 and 10.0. An attacker c...

CVE-2024-52583

The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. The page schedule.html before 17 November 2024 or commit 93dfb83 contains links to Leostop, a site that hosts a malicious injected JavaScript file that occurs when...

WesHacks 安全漏洞

WesHacks is a hackathon website by the individual developer Shahm Najeeb. A security vulnerability exists in versions of WesHacks prior to 17/11/2024, which stems from the site hosting maliciously injected JavaScript files...

Stored Cross-Site Scripting (XSS) via SAML IdP XML Injection

An attacker can achieve stored cross-site scripting XSS by injecting malicious JavaScript into the SAML IdP XML metadata. This metadata is used to generate the SAML login redirect URL, which is ultimately set as the value of window.location.href. This vulnerability allows the attacker to execute...

LoLLMs 代码问题漏洞

LoLLMs is a Web UI for a large language multi-modal system by the individual developer Saifeddine ALOUI. A code issue vulnerability exists in LoLLMs version 9.6, which stems from the presence of a cross-site scripting XSS and open redirection vulnerability that allows an attacker to embed malicio...

GitLab Enterprise Edition（EE）和GitLab Community Edition（CE） 跨站脚本漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of GitLab, Inc. GitLab Enterprise Edition is a content management system. GitLab Enterprise Edition is a content management system. A cross-site scripting vulnerability exists in GitLab Enterprise Edition EE and GitLab...

Combodo iTop 安全漏洞

Combodo iTop is a suite of open source web applications developed by the French company Combodo based on ITIL and used for the daily operation of IT environments. The program provides incident management, configuration management and problem management. A security vulnerability in Combodo iTop...

SuiteCRM 跨站脚本漏洞

SuiteCRM is a customer relationship management system from the SuiteCRM team. A cross-site scripting vulnerability exists in SuiteCRM. An attacker can exploit this vulnerability to inject malicious JavaScript code...

Opera Browser Fixes Big Security Hole That Could Have Exposed Your Information

A now-patched security flaw in the Opera web browser could have enabled a malicious extension to gain unauthorized, full access to private APIs. The attack, codenamed CrossBarking , could have made it possible to conduct actions such as capturing screenshots, modifying browser settings, and accou...

CVE-2020-36839

The CVE covers the WordPress plugin WP Lead Plus X, affected through version 0.99. The vulnerability is a Cross-Site Request Forgery due to missing or incorrect nonce validation on several functions, enabling unauthenticated attackers to trigger administrative actions such as adding pages or inje...

CVE-2020-36839 WP Lead Plus X <= 0.99 - Cross-Site Request Forgery

The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.99. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform administrative actions, such as...

CVE-2021-4444 Product Filter by WooBeWoo <= 1.4.9 - Missing Authorization

The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new...

PT-2024-10849 · WordPress · Wp Lead Plus X

Name of the Vulnerable Software and Affected Versions: WP Lead Plus X plugin for WordPress versions up to, and including, 0.99 Description: The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on several functions. This...

PT-2024-11040 · Woobewoo · Woobewoo Product Filter

Name of the Vulnerable Software and Affected Versions: Product Filter by WooBeWoo plugin for WordPress versions up to, and including 1.4.9 Description: The issue is related to authorization bypass due to missing authorization checks on various functions, allowing unauthenticated attackers to...

CVE-2024-48120

X2CRM v8.5 is affected by a stored XSS in the Opportunities module. The vulnerability allows an authenticated attacker to inject JavaScript via the Name field when creating a list, with the payload stored and later triggered. Evidence consistently references a stored XSS path in the Opportunities...

CVE-2024-48120

X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting XSS in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list...

Adobe Commerce Cross-Site Scripting Vulnerability (CNVD-2024-41463)

Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. Adobe Commerce suffers from a cross-site scripting vulnerability that can be exploited by an attacker to say that accessing a URL that references a...

CVE-2024-9592

The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgcpluginoptions' function. This makes it possible for unauthenticated attackers to update the...

CVE-2024-9592

CVE-2024-9592 concerns the WordPress plugin Easy PayPal Gift Certificate (versions ≤ 1.2.3). The vulnerability is a Cross-Site Request Forgery that, due to missing/incorrect nonce validation in the wpppgc_plugin_options function, can allow an unauthenticated attacker to update plugin settings and...