Cross site scripting

A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers...

CVE-2019-16931

The WordPress Visualizer plugin (versions prior to 3.3.1; affected entry cites 3.3.0) contains a stored XSS via the WP-JSON API endpoint /wp-json/visualizer/v1/update-chart. The root cause is that Block.php registers this endpoint with no access control and Data.php lacks output sanitization, all...

CVE-2019-16931

A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers...

WordPress Visualizer Plugin < 3.3.1 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.113537";...

CVE-2019-16932

A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data...

CVE-2019-16932

A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data...

Server side request forgery (ssrf)

A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data...

CVE-2019-16932

The CVE-2019-16932 issue affects the WordPress Visualizer plugin prior to 3.3.1, where the /wp-json/visualizer/v1/upload-data endpoint exposes a blind server-side request forgery (SSRF). The vulnerability enables an attacker to send crafted requests and potentially reach internal resources, with ...

CVE-2019-16932

A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data...

kibana: Arbitrary code execution flaw in the Timelion visualizer

An arbitrary code execution flaw was found in the Timelion visualizer in Kibana versions before 5.6.15 and 6.6.1. This flaw allows an attacker with access to the Timelion application to send a request that attempts to execute javascript code. This could lead to an attacker executing arbitrary...

Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)

By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart. PoC curl -i -s -k -X $'POST' \ -H...

WordPress Visualizer plugin <= 3.3.0 - Server-Side Request Forgery (SSRF)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks. Solution Update the plugin to the latest version...

Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)

By abusing a lack of access controls on the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint, an attacker can arbitrarily modify meta data of an existing chart, and inject a XSS payload to be stored and later executed when an admin goes to edit the chart. curl -i -s -k -X $'POST' \ -H...

Visualizer < 3.3.1 - Blind Server-Side Request Forgery (SSRF)

This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint. PoC curl -i -s -X $'POST' \ -H $'Host: 192.168.158.128:8000' \ --data-binary $'"url":"http://db:3306"' \ $'http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data' See the references...

Visualizer < 3.3.1 - Blind Server-Side Request Forgery (SSRF)

This plugin suffers from a blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint. curl -i -s -X $'POST' \ -H $'Host: 192.168.158.128:8000' \ --data-binary $'"url":"http://db:3306"' \ $'http://192.168.158.128:8000/wp-json/visualizer/v1/upload-data' See the references for...

Elastic Kibana < 6.8.2, 7.x < 7.2.1 Multiple Vulnerabilities (ESA-2019-09, ESA-2019-10) - Windows

Kibana is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2019-7616

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery SSRF flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an...

Cisco release a lot of patches, fixes IOS XE, and small business routing vulnerability-vulnerability warning-the black bar safety net

On Wednesday, Cisco Systems Inc. posted a 26 the patch, including its IOS-XE operating system and two small business RV320 and RV325 router of bug fixes. A total of 19 vulnerabilities is Cisco rated the severity level, other vulnerabilities were rated medium level. In the high severity...

Kibana Command Injection Vulnerability (CNVD-2019-12163)

Elasticsearch Kibana is a suite of open source, browser-based analytics and search Elasticsearch dashboard tools from Elasticsearch Netherlands. A security vulnerability exists in Timelion visualizer in Kibana versions prior to 5.6.15 and prior to 6.6.1. A remote attacker can exploit the...

CVE-2019-7609

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands...