228 matches found
CVE-2023-0549 YAFNET Private Message PostPrivateMessage cross site scripting
A vulnerability, which was classified as problematic, has been found in YAFNET up to 3.1.10. This issue affects some unknown processing of the file /forum/PostPrivateMessage of the component Private Message Handler. The manipulation of the argument subject/message leads to cross site scripting. T...
PT-2023-16354 · Yafnet · Yafnet
Name of the Vulnerable Software and Affected Versions: YAFNET versions up to 3.1.10 Description: A problematic issue has been found in the Private Message Handler component, affecting the processing of the file /forum/PostPrivateMessage. The manipulation of the subject and message arguments leads...
DRUPAL-CONTRIB-2022-062
Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062
Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...
CVE-2022-39385
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been...
Information disclosure
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been...
CVE-2022-39385 Users erroneously and transparently added to private messages in Discourse
Discourse is the an open source discussion platform. In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background. This issue has been...
CVE-2022-32229
A information disclosure vulnerability exists in Rockert.Chat v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection...
CVE-2022-2080 Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see...
CVE-2022-2080 Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see...
WordPress plugin Sensei LMS 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...
CVE-2022-2198 WPQA < 5.7 - Subscriber+ Private Message Disclosure via IDOR
The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced...
WordPress plugin WPQA Builder 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in the...
Send message to blocked user
Description In this case if a userA block userB. UserB is still able to send private message to user A Proof of Concept 1.USerA block userB 2.UserB send direct request to message endpoint with userA''s userID Poc POST https://bookwyrm.social/post/direct Host: bookwyrm.social User-Agent: Mozilla/5...
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and studen...
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and studen...
WordPress Sensei LMS plugin <= 4.5.1 - Arbitrary Private Message Sending via IDOR vulnerability
Arbitrary Private Message Sending via IDOR vulnerability discovered by Veshraj Ghimire in WordPress Sensei LMS plugin versions = 4.5.1. Solution Update the WordPress Sensei LMS plugin to the latest available version at least 4.5.2...
Cross site scripting
BigBlueButton version 2.4.7 or earlier is vulnerable to stored Cross-Site Scripting XSS in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to t...
CVE-2022-1598 WPQA < 5.5 - Unauthenticated Private Message Disclosure
The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site...
phpBB vulnerable to sensitive information disclosure
Unspecified vulnerability in phpBB before 3.0.4 allows attackers to obtain sensitive information via unknown vectors related to the lack of password prompts for a private message that quotes a post in a password-protected forum...