PT-2023-28395 · WordPress · Ai Chatbot

Name of the Vulnerable Software and Affected Versions: AI ChatBot WordPress plugin versions prior to 4.7.8 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example, in...

CVE-2023-24397

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Reservation.Studio Reservation.Studio widget plugin = 1.0.11 versions...

CVE-2023-3992

The PostX WordPress plugin before 3.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-4023

CVE-2023-4023 – All Users Messenger (WordPress) vulnerability : The All Users Messenger plugin (≤1.24) allows non-administrator users with Subscriber privileges to delete messages due to missing access control (IDOR). Descriptions across connected sources confirm the issue as a broken-access-cont...

CVE-2023-3501 FormCraft < 1.2.7 - Admin+ Stored XSS

The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress plugin All Users Messenger 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

Privilege Escalation

github.com/gravitl/netmaker is vulnerable to Privilege Escalation. The vulnerability exists due to improper permission validation for non-admin users, which allows an attacker to perform authorized actions on users, such as changing roles...

CVE-2023-24516

Cross-site Scripting XSS vulnerability in the Pandora FMS Special Days component allows an attacker to use it to steal the session cookie value of admin users easily with little user interaction. This issue affects Pandora FMS v767 version and prior versions on all platforms...

Cross site scripting

Cross-site Scripting XSS vulnerability in the Pandora FMS Special Days component allows an attacker to use it to steal the session cookie value of admin users easily with little user interaction. This issue affects Pandora FMS v767 version and prior versions on all platforms...

CVE-2023-24516 Stored Cross Site Scripting - Special Days Module

Cross-site Scripting XSS vulnerability in the Pandora FMS Special Days component allows an attacker to use it to steal the session cookie value of admin users easily with little user interaction. This issue affects Pandora FMS v767 version and prior versions on all platforms...

CVE-2023-4413

Summary: CVE-2023-4413 concerns the rkhunter Rootkit Hunter vulnerability affecting versions 1.4.4–1.4.6. It targets an unknown function in /var/log/rkhunter.log, allowing manipulation that can reveal sensitive information in log files. Exploitation is described as locally accessible with high co...

CVE-2023-3645

The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2023-3721 WP-EMail < 2.69.1 - Admin+ Stored Cross-Site Scripting

The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2023-21495 · WordPress · Ultimate Addons For Contact Form 7

Name of the Vulnerable Software and Affected Versions: The Ultimate Addons for Contact Form 7 WordPress plugin versions prior to 3.1.29 Description: The issue is related to a Reflected Cross-Site Scripting that could be used against high privilege users, such as admin. This occurs because a...

Post Timeline < 2.2.6 - Reflected XSS

Description The plugin does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open the URL below...

CVE-2023-3130

The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Design/Logic Flaw

The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges...

CVE-2023-20891

The VMware Tanzu Application Service for VMs and Isolation Segment contain an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system audit logs. A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF...

PT-2023-24727 · Apache · Apache Inlong

Name of the Vulnerable Software and Affected Versions: Apache InLong versions 1.4.0 through 1.7.0 Description: The issue allows an attacker to use general users to delete and update processes that should only be operable by admins. Recommendations: For versions 1.4.0 through 1.7.0, upgrade to...

CVE-2023-2701

The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin...