Lucene search
K

1360 matches found

CVE
CVE
added 2022/07/04 6:56 a.m.91 views

CVE-2022-29513

CVE-2022-29513 is a cross-site scripting vulnerability in Cybozu Garoon’s Scheduler. The issue arises from insufficient sanitization of user input in the Scheduler, allowing a remote authenticated attacker with administrative privileges to execute arbitrary JavaScript in a logged-in user’s browse...

4.8CVSS5.3AI score0.00527EPSS
Exploits0References2Affected Software1
CNVD
CNVD
added 2022/06/30 12:0 a.m.18 views

WordPress WP Ultimate CSV Importer Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A server cross-site request...

7.2CVSS6.8AI score0.0126EPSS
Exploits2References1
Prion
Prion
added 2022/06/28 1:15 p.m.21 views

Hardcoded credentials

Use of hard-coded credentials vulnerability exists in STARDOM FCN Controller and FCJ Controller R4.10 to R4.31, which may allow an attacker with an administrative privilege to read/change configuration settings or update the controller with tampered firmware...

9CVSS7.1AI score0.01428EPSS
Exploits0References4Affected Software2
WPVulnDB
WPVulnDB
added 2022/06/28 12:0 a.m.26 views

Request a Quote <= 2.3.7 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Misc No Access Message setting of the plugin: The XSS will ...

4.8CVSS3.2AI score0.00532EPSS
Exploits2Affected Software1
OSV
OSV
added 2022/06/27 9:15 a.m.1 views

CVE-2022-1994

The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...

4.8CVSS5.8AI score0.00552EPSS
Exploits2References1
ATTACKERKB
ATTACKERKB
added 2022/06/27 9:15 a.m.7 views

CVE-2022-1994

The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed...

4.8CVSS5.8AI score0.00552EPSS
Exploits2References2
OSV
OSV
added 2022/06/27 9:15 a.m.4 views

CVE-2022-1321

The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example ...

4.8CVSS5.8AI score0.00548EPSS
Exploits2References1
OSV
OSV
added 2022/06/27 9:15 a.m.3 views

CVE-2022-1095

The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS5.8AI score0.00552EPSS
Exploits2References1
Prion
Prion
added 2022/06/27 9:15 a.m.15 views

Cross site request forgery (csrf)

The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

4.3CVSS4.5AI score0.00412EPSS
Exploits2References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2022/06/27 9:15 a.m.6 views

CVE-2022-1095

The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.8CVSS5.5AI score0.00552EPSS
Exploits2References2
Cvelist
Cvelist
added 2022/06/27 8:56 a.m.17 views

CVE-2022-1326 Form - Contact Form <= 1.2.0 - Admin+ Stored Cross-Site Scripting

The Form - Contact Form WordPress plugin through 1.2.0 does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

5.2AI score0.00552EPSS
Exploits2References1
CNNVD
CNNVD
added 2022/06/27 12:0 a.m.3 views

WordPress plugin My Private Site 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress My Private Site plugin version 3.0.8 or earlier is vulnerable to cross-site request forgery...

4.3CVSS5.3AI score0.00412EPSS
Exploits2References2
Code423n4
Code423n4
added 2022/06/26 12:0 a.m.21 views

Centralization Risk On The Withdraw Operation

Lines of code Vulnerability details Impact During the code review, It has been observed that admin can withdraw all tokens from the system. Proof of Concept 1. Navigate to the following contract : Tools Used Code Review Recommended Mitigation Steps We advise the client to carefully manage the adm...

6.9AI score
Exploits0
WPVulnDB
WPVulnDB
added 2022/06/21 12:0 a.m.22 views

Very Simple Breadcrumb <= 1.0 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "Breadcrumb css class name" settings of the plugin: "...

4.8CVSS2.4AI score0.00493EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/06/21 12:0 a.m.23 views

Best Contact Management Software <= 3.7.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the "No Access Message" settings...

4.8CVSS3.2AI score0.00493EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/06/20 12:0 a.m.12 views

WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting

The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1. Navigate to Settings -Duplicate Page - Duplicate Page Settings and enter the XSS payload into...

4.8CVSS0.5AI score0.00493EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2022/06/20 12:0 a.m.15 views

Bold Page Builder < 4.3.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1. Navigate to Settings - Bold Builder - Bold Builder Settings and enter "" into the "Color...

4.8CVSS1.1AI score0.00935EPSS
Exploits2Affected Software1
FreeBSD
FreeBSD
added 2022/06/19 12:0 a.m.49 views

Grafana -- Stored XSS

Grafana Labs reports: An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Note: Grafana Alerting is activated by default in Grafana 9.0...

8.7CVSS3.1AI score0.68603EPSS
Exploits0References1
Code423n4
Code423n4
added 2022/06/17 12:0 a.m.14 views

Owner can sweep any token

Lines of code Vulnerability details Impact Admin can sweep any token even if the token is in use by the contract. Ideally only non blacklisted tokens should be allowed by unlockTokens function function unlockTokensIERC20 token external override onlyOwner uint256 amount = token.balanceOfaddressthi...

6.8AI score
Exploits0
OSV
OSV
added 2022/06/14 12:0 a.m.1 views

GHSA-MCQM-6FF4-53QX Cross-site Scripting in Strapi

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege...

4.8CVSS5.9AI score0.00712EPSS
Exploits0References4
Rows per page
Query Builder