Lucene search
K

17 matches found

Vulnrichment
Vulnrichment
added 2026/05/12 1:57 p.m.9 views

CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 1:57 p.m.37 views

CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...

8.1CVSS0.00282EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 1:57 p.m.19 views

CVE-2026-43938

Summary (supported): CVE-2026-43938 affects YetAnotherForum.NET (YAF.NET) prior to 4.0.5 and 3.2.12. The database logger captures the request’s User-Agent into a JSON object and stores it in EventLog.Description. When an admin views the EventLog, the code deserializes that JSON and interpolates t...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/05 8:31 p.m.12 views

YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

Description: Stored second-order Cross-Site Scripting XSS occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trust...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/05/05 8:31 p.m.11 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the User-Agent header being logged and later rendered in the admin event log interface without proper output encoding. An attacker can execute arbitrary JavaScript in an administrator's browser by submitting...

9.6CVSS5.8AI score0.00282EPSS
Exploits0References2
OSV
OSV
added 2026/05/05 8:31 p.m.7 views

GHSA-33GV-FC78-QGF5 YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header

Description: Stored second-order Cross-Site Scripting XSS occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trust...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/01/17 4:34 a.m.2 views

CVE-2025-14029

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxadmineventapproval function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via t...

5.3CVSS5.6AI score0.0024EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/01/17 12:0 a.m.10 views

PT-2026-3348

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax admin event approval function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events vi...

5.3CVSS5.5AI score0.0024EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2025/11/19 12:20 p.m.6 views

CVE-2025-6670

A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...

8.8CVSS6.3AI score0.0019EPSS
Exploits0References1
OSV
OSV
added 2025/11/18 12:15 p.m.7 views

CVE-2025-6670

A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...

8.8CVSS6.3AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2023/12/25 12:0 a.m.10 views

CVE-2023-48653

Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery CSRF via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential...

6.8AI score0.00276EPSS
Exploits0References2
OSV
OSV
added 2021/09/13 6:15 p.m.3 views

CVE-2021-24510

The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue...

6.1CVSS6.4AI score0.0231EPSS
Exploits1References1
CNVD
CNVD
added 2018/01/02 12:0 a.m.2 views

Muslim Matrimonial Script Cross-Site Scripting Vulnerability (CNVD-2018-01242)

Muslim Matrimonial Script is a community matrimonial script for matrimonial websites by PHP Scripts Mall. A cross-site scripting vulnerability exists in PHP Scripts Mall Muslim Matrimonial Script. The vulnerability can be exploited to conduct cross-site scripting attacks via the admin/eventedit.p...

4.8CVSS6.5AI score0.00492EPSS
Exploits1References1
CNVD
CNVD
added 2018/01/02 12:0 a.m.3 views

Muslim Matrimonial Script Cross-Site Scripting Vulnerability (CNVD-2018-01239)

Muslim Matrimonial Script is a community matrimonial script for matrimonial websites by PHP Scripts Mall. A cross-site scripting vulnerability exists in PHP Scripts Mall Muslim Matrimonial Script. The vulnerability can be exploited to conduct cross-site scripting attacks via the admin/eventadd.ph...

4.8CVSS6.5AI score0.00492EPSS
Exploits1References1
OSV
OSV
added 2017/12/30 4:29 a.m.3 views

CVE-2017-17984

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/eventedit.php editid parameter...

4.8CVSS5.8AI score0.00492EPSS
Exploits1References1
OSV
OSV
added 2017/12/30 4:29 a.m.3 views

CVE-2017-17988

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/eventadd.php eventtitle parameter...

4.8CVSS5.8AI score0.00492EPSS
Exploits1References1
CNVD
CNVD
added 2015/05/04 12:0 a.m.1 views

Wing FTP Server Admin /admin_event_list.html type Cross Site Scripting Vulnerability

WingFTPServer is a professional cross-platform FTP server , it has good speed , reliability and a friendly configuration interface . Wing FTP Server Admin /admineventlist.html type parameter handling has a cross-site scripting vulnerability that allows remote attackers to exploit the vulnerabilit...

6AI score
Exploits0References1
Rows per page
Query Builder