PT-2025-1683 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A denial of service issue was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any...

Access Control Bypass

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass through the normalizePath function, by utilizing a double file:// scheme to bypass local file system validation. Note: This is only exploitable if the administrator has ...

PT-2024-35159 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions prior to 4.12.2 and 5.4.3 Description: The issue is related to a missing normalizePath in the FileHelper::absolutePath function, which could lead to Remote Code Execution on the server via twig Server Side Template Injection...

PT-2024-35157 · Craft Cms · Craft Cms

Name of the Vulnerable Software and Affected Versions: CraftCMS versions prior to 4.12.5 CraftCMS versions prior to 5.4.6 Description: A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme. This enables the attacker to specify...

CVE-2024-6856

CVE-2024-6856 affects the WordPress plugin WP MultiTasking (versions up to 0.1.12). The root cause is a missing CSRF check when updating plugin settings, enabling a logged-in attacker to modify settings through a CSRF attack. Exploitation details are not provided beyond this description in the co...

CVE-2024-3405

The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2024-2429

The Salon booking system WordPress plugin through 9.6.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

PT-2024-14950 · WordPress · Wordpress Users

Name of the Vulnerable Software and Affected Versions: WordPress Users WordPress plugin versions 1.4 and earlier Description: The issue is related to the lack of a CSRF check when updating settings, which could allow attackers to make a logged-in admin change them via a CSRF attack...

Order Delivery Date for WP e-Commerce <= 1.2 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

Remove/hide Author, Date, Category Like Entry-Meta <= 2.1 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

PT-2023-27228 · Craft · Craft

Name of the Vulnerable Software and Affected Versions: Craft versions prior to 3.8.15 Craft versions prior to 4.4.15 Description: The issue is related to bypassing the validatePath function, which can lead to potential remote code execution. This can result in malicious control of vulnerable...

CVE-2022-4548

The Optimize images ALT Text & names for SEO using AI WordPress plugin before 2.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack...

Unrestricted ComptrollerInterface and InterestRateModel Contract Changes by Admin and PendingAdmin leading to Loss of Funds for Users

Lines of code Vulnerability details Impact // Maximum borrow rate that can ever be applied .0005% / block uint internal constant borrowRateMaxMantissa = 0.0005e16; // Maximum fraction of interest that can be set aside for reserves uint internal constant reserveFactorMaxMantissa = 1e18; The...

CVE-2022-38656

HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes...

CVE-2022-38656

CVE-2022-38656 relates to HCL Commerce when used with Elasticsearch. The vulnerability could allow a remote attacker to cause a denial of service and to make administrative changes on the site. Affected software is HCL Commerce integrated with Elasticsearch; the underlying root cause is not expli...

PT-2022-24506 · Elastic +1 · Elasticsearch +1

Name of the Vulnerable Software and Affected Versions: HCL Commerce affected versions not specified Description: The issue allows a remote attacker to cause a denial of service attack on the site and make administrative changes when HCL Commerce is used with Elasticsearch. Recommendations: At the...

CVE-2022-2171

The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue...

CVE-2022-1960

The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

WordPress plugin New User Approve 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress New User Approve plugin versions prior to 2.4 are vulnerable to cross-site request forgery, which...

Cross site request forgery (csrf)

The WPlite WordPress plugin through 1.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...