GO-2022-0359 Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd

Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd...

CVE-2024-6158 Category Posts Widget (Free < 4.9.17, Pro < 4.9.13) - Admin+ Stored XSS

The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high...

CVE-2024-7477

A SQL injection vulnerability was found which could allow a command line interface CLI user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer...

UBUNTU-CVE-2024-41942

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that...

CVE-2024-39838

ZWX-2000CSW2-HN firmware versions prior to Ver.0.3.15 uses hard-coded credentials, which may allow a network-adjacent attacker with an administrative privilege to alter the configuration of the device...

CVE-2024-3113

The FormFlow: WhatsApp Social and Advanced Form Builder with Easy Lead Collection WordPress plugin before 2.12.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml...

CVE-2024-6226 WpStickyBar <= 2.1.0 - Reflected XSS

The WpStickyBar WordPress plugin through 2.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6223 Send email only on Reply to My Comment <= 1.0.6 - Reflected XSS

The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

EC-CUBE 4 Series improper input validation when installing plugins

Overview EC-CUBE 4 series provided by EC-CUBE CO.,LTD improperly validates inputs when installing plugins CWE-349. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early...

PT-2024-28702 · WordPress · Sportspress

Name of the Vulnerable Software and Affected Versions: SportsPress WordPress plugin versions prior to 2.7.22 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in...

CVE-2024-6487 Inline Related Posts < 3.8.0 - Admin+ Stored XSS

The Inline Related Posts WordPress plugin before 3.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6094

The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5644

The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5283

The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-5151

The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5715 WP eMember < 10.6.7 - Reflected XSS via Member Edit

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-3112

The CVE-2024-3112 entry concerns the Quotes and Tips by BestWebSoft WordPress plugin (pre-1.45). The vulnerability arises from improper validation of uploaded image files, enabling high-privilege users (e.g., administrators) to upload arbitrary files to the server, including in multisite configur...

CVE-2024-0974 Social Media Widget < 4.0.9 - Admin+ Stored XSS

The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-23788 · Bestwebsoft · The Quotes/Tips By Bestwebsoft Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: The Quotes and Tips by BestWebSoft WordPress plugin versions prior to 1.45 Description: The issue concerns the improper validation of image files uploaded by high privilege users, such as admins, allowing them to upload arbitrary files on the...

CVE-2024-6138

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...