Lucene search
+L

228 matches found

OSV
OSV
added 2024/01/24 9:13 p.m.38 views

GHSA-R64R-5H43-26QV Any authenticated user may obtain private message details from other users on the same instance

Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to loudly obtain all private messages of an...

7.5CVSS7AI score0.00505EPSS
Exploits0References4
Prion
Prion
added 2024/01/24 6:15 p.m.21 views

Design/Logic Flaw

Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...

4CVSS7AI score0.00505EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2024/01/24 6:9 p.m.74 views

CVE-2024-23649

CVE-2024-23649 affects Lemmy 0.17.0 up to 0.19.0 (vulnerable) with a patch available in 0.19.1. The issue allows any authenticated user to obtain arbitrary private message contents by calling the API at /api/v3/private_message/report; the response can include the private message itself and, in so...

7.5CVSS6.4AI score0.00505EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2024/01/24 6:9 p.m.41 views

CVE-2024-23649 Any authenticated user may obtain private message details from other users on the same instance

Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...

7.5CVSS6.4AI score0.00505EPSS
Exploits0References4
Huntr
Huntr
added 2023/06/18 10:52 a.m.6 views

Stored XSS on user "Write private message" function

Description An attacker can inject malicious executable scripts into the code of the message field. Proof of Concept Log in as a Member user, access Messages - Write private message function for sending admin a message.COde Insert this payload into the message field testscriptprompt'1'/script the...

6.5AI score
Exploits0
NVD
NVD
added 2023/04/25 1:15 p.m.16 views

CVE-2023-30417

A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...

5.4CVSS5.3AI score0.004EPSS
Exploits1References1
OSV
OSV
added 2023/04/25 1:15 p.m.5 views

CVE-2023-30417

A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...

5.4CVSS6.2AI score0.004EPSS
Exploits1References1
Prion
Prion
added 2023/04/25 1:15 p.m.15 views

Cross site scripting

A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...

4.9CVSS5.3AI score0.004EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2023/04/25 12:0 a.m.22 views

CVE-2023-30417

A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...

5.5AI score0.004EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2023/04/25 12:0 a.m.7 views

CVE-2023-30417

A cross-site scripting XSS vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message...

5.8AI score0.004EPSS
Exploits1References1
NVD
NVD
added 2023/02/21 9:15 a.m.25 views

CVE-2023-0453

The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...

4.3CVSS4.5AI score0.00551EPSS
Exploits2References2
OSV
OSV
added 2023/02/21 9:15 a.m.9 views

CVE-2023-0453

The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...

4.3CVSS5.8AI score0.00551EPSS
Exploits2References2
Prion
Prion
added 2023/02/21 9:15 a.m.17 views

Code injection

The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...

4CVSS4.5AI score0.00551EPSS
Exploits2References2Affected Software1
Vulnrichment
Vulnrichment
added 2023/02/21 8:50 a.m.8 views

CVE-2023-0453 WP Private Message < 1.0.6 - Private Message Disclosure via IDOR

The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...

4.5AI score0.00551EPSS
Exploits2References2
Cvelist
Cvelist
added 2023/02/21 8:50 a.m.26 views

CVE-2023-0453 WP Private Message < 1.0.6 - Private Message Disclosure via IDOR

The WP Private Message WordPress plugin bundled with the Superio theme as a required plugin before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by...

4.8AI score0.00551EPSS
Exploits2References2
CVE
CVE
added 2023/02/21 8:50 a.m.59 views

CVE-2023-0453

CVE-2023-0453 affects the WP Private Message WordPress plugin (bundled with the Superio theme) prior to version 1.0.6. The root cause is insecure direct object references: private messages could be accessed by tampering the message_id value, allowing any authenticated user to view another user’s ...

4.3CVSS4.8AI score0.00551EPSS
Exploits2References2Affected Software1
Patchstack
Patchstack
added 2023/01/31 12:0 a.m.13 views

WordPress WP Private Message Plugin < 1.0.6 is vulnerable to Insecure Direct Object References (IDOR)

Software WP Private Message Type Plugin Vulnerable versions 1.0.6 Fixed in 1.0.6 OWASP Top 10 A5: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-0453 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID c5646ba0a8f7 Credits Veshraj...

4.3CVSS6.5AI score0.00551EPSS
Exploits2References3Affected Software1
wpexploit
wpexploit
added 2023/01/30 12:0 a.m.117 views

WP Private Message < 1.0.6 - Private Message Disclosure via IDOR

The plugin bundled with the Superio theme as a required plugin does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID. - Install the Superio theme an...

4.3CVSS5.5AI score0.00551EPSS
Exploits2References1
NVD
NVD
added 2023/01/27 7:15 p.m.18 views

CVE-2023-0549

A vulnerability, which was classified as problematic, has been found in YAFNET up to 3.1.10. This issue affects some unknown processing of the file /forum/PostPrivateMessage of the component Private Message Handler. The manipulation of the argument subject/message leads to cross site scripting. T...

5.4CVSS4.3AI score0.0069EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2023/01/27 6:57 p.m.6 views

CVE-2023-0549 YAFNET Private Message PostPrivateMessage cross site scripting

A vulnerability, which was classified as problematic, has been found in YAFNET up to 3.1.10. This issue affects some unknown processing of the file /forum/PostPrivateMessage of the component Private Message Handler. The manipulation of the argument subject/message leads to cross site scripting. T...

4CVSS4.7AI score0.0069EPSS
Exploits1References6
Rows per page
Query Builder