defu 安全漏洞

Defu is a lightweight tool library developed by UnJS for recursively merging default values. Versions of Defu prior to 6.1.5 contained security vulnerabilities; these vulnerabilities stemmed from the practice of passing uncleaned user input into the Defu functions, which could lead to prototype...

EUVD-2020-0116

Malware in sbrugna...

EUVD-2023-56250

Malicious code in bioql PyPI...

EUVD-2023-56249

Malicious code in bioql PyPI...

EUVD-2023-57668

Malicious code in bioql PyPI...

📄 JS Archive List 6.1.5 SQL Injection

JS Archive List versions 6.1.5 and below suffer from a remote SQL injection vulnerability. CVE-2025-54726 JS Archive List = 6.1.5 - Unauthenticated SQL Injection Description The JS Archive List plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 6.1.5 due to...

CVE-2025-7670

The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the buildsqlwhere function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2025-7670

CVE-2025-7670 – JS Archive List (WordPress) is a time-based SQL injection in the build_sql_where() path of all versions up to 6.1.5, due to insufficient escaping and query prep. This allows unauthenticated attackers to append SQL to existing queries and potentially leak sensitive data. Mitigation...

CVE-2025-7670 JS Archive List <= 6.1.5 - Unauthenticated SQL Injection via build_sql_where Function

The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the buildsqlwhere function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2025-34062

An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directorytoken—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext respon...

PT-2025-27583 · One Identity · One Identity Onelogin Active Directory Connector

Name of the Vulnerable Software and Affected Versions: One Identity OneLogin Active Directory Connector versions prior to 6.1.5 Description: The issue concerns the mishandling of DirectoryToken encryption, also known as ST-812. This problem occurred due to an error in the encryption process...

CVE-2024-0365

The Fancy Product Designer WordPress plugin before 6.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators...

CVE-2023-51538

Cross-Site Request Forgery CSRF vulnerability in Awesome Support Team Awesome Support – WordPress HelpDesk & Support Plugin.This issue affects Awesome Support – WordPress HelpDesk & Support Plugin: from n/a through 6.1.5...

Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence

A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859 , carries a CVSS score of...

CVE-2025-24859

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This...

PT-2025-7475 · WordPress · Modal Window

Name of the Vulnerable Software and Affected Versions: The Modal Window plugin for WordPress versions up to, and including, 6.1.5 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode due to insufficient input sanitization and output escaping on...

Zoom Apps for macOS < 6.1.5 Informatioon Disclosure (ZSB-24039)

The version of Zoom Workplace Desktop App for macOS installed on the remote host is prior to 6.1.5. It is, therefore, affected by an informatioon disclosure vulnerability as referenced in the ZSB-24039 advisory: - Uncontrolled resource consumption in the installer for some Zoom apps for macOS...

Zoom Apps for macOS < 6.1.5 Informatioon Disclosure (ZSB-24040)

The version of Zoom Workplace Desktop App for macOS installed on the remote host is prior to 6.1.5. It is, therefore, affected by an informatioon disclosure vulnerability as referenced in the ZSB-24040 advisory: - Symlink following in the installer for some Zoom apps for macOS before version 6.1....

WordPress Modern Events Calendar SQL Injection Scanner

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'WordPress Modern Events Calendar SQLi Scanner', 'Description' = %q Modern Events Calendar plugin contains an unauthenticated timebased SQL...

PT-2024-29948 · Zoom · Zoom Workplace Desktop App +2

Name of the Vulnerable Software and Affected Versions: Zoom Workplace Desktop App for macOS versions prior to 6.1.5 Zoom Meeting SDK for macOS versions prior to 6.1.5 Zoom Rooms Client for macOS versions prior to 6.1.5 Description: The issue is related to improper privilege management in the...