117 matches found
PT-2024-15228 · WordPress · Smart Forms
Name of the Vulnerable Software and Affected Versions: Smart Forms WordPress plugin versions prior to 2.6.87 Description: The issue concerns a lack of authorization in various AJAX actions within the plugin, allowing users with a low role, such as a subscriber, to perform unauthorized actions lik...
Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion
Description The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged ...
Smart Forms < 2.6.87 - Subscriber+ Arbitrary Entry Deletion
Description The plugin does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged ...
Smart Forms < 2.6.85 - Subscriber+ Arbitrary Options Update
Description The plugin does not have authorisation in an AJAX action hooked to smartformssavesettings, and does not ensure that the option to be updated belong to the plugin. As a result, any authenticated users, such as subscriber could update arbitrary options such as defaultrole and...
WordPress Smart Forms Plugin <= 2.6.84 is vulnerable to Broken Access Control
Software Smart Forms Type Plugin Vulnerable versions = 2.6.84 Fixed in 2.6.85 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-49856 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 636ea1edcfea Credits Abdi Pranata Required privile...
CVE-2022-31040
CVE-2022-31040 affects Open Forms before versions 1.0.9 and 1.1.1, where the cookie consent page contains an open redirect via an injectable referer query parameter. The issue enables phishing redirects initiated by the Open Forms backend on a legitimate page. Connected sources confirm patches in...
WordPress Smart Forms Plugin Information Disclosure Vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An information disclosure vulnerability exists in WordPress Smart Forms Plugin versions prior to 2.6.71, which...
CVE-2022-0163
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form...
CVE-2022-0163
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form...
CVE-2022-0163
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form...
Information disclosure
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form...
CVE-2022-0163
CVE-2022-0163 concerns the WordPress plugin Smart Forms prior to 2.6.71, which exposes the rednao_smart_forms_entries_list AJAX endpoint without proper authorization. This allows any authenticated user (e.g., a subscriber) to download arbitrary form data, potentially exposing sensitive informatio...
CVE-2022-0163 Smart Forms < 2.6.71 - Subscriber+ Form Data Download
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form...
WordPress的Smart Forms插件安全漏洞
WordPress is a set of blogging platforms developed using the PHP language by the Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An information disclosure vulnerability exists in WordPress Smart Forms Plugin versions prior to 2.6.71, which...
Smart Forms < 2.6.71 - Subscriber+ Form Data Download
The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. PoC Execute the below command in the web...
Smart Forms < 2.6.71 - Subscriber+ Form Data Download
The plugin does not have authorisation in its rednaosmartformsentrieslist AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. Execute the below command in the web develop...
CVE-2020-6205
SAP NetWeaver AS ABAP Business Server Pages Smart Forms, SAPBASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content...
CVE-2020-6205
SAP NetWeaver AS ABAP Business Server Pages (Smart Forms) is affected across SAP BASIS versions 7.00–7.54 due to insufficient encoding of user-controlled inputs, enabling unauthenticated users to perform a Reflected Cross-Site Scripting (XSS) that can deface content, steal user credentials, imper...
CVE-2020-6205
SAP NetWeaver AS ABAP Business Server Pages Smart Forms, SAPBASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content...
PT-2020-19006 · Sap · Sap Netweaver As Abap +1
Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS ABAP Business Server Pages Smart Forms, SAP BASIS versions 7.00 through 7.54 Description: The issue arises from insufficient encoding of user-controlled inputs, allowing an unauthenticated attacker to non-permanently deface o...