WordPress Download Attachments plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Krzysztof Zając in WordPress Plugin Download Attachments versions = 1.3...

WordPress Download Attachments Plugin <= 1.3 is vulnerable to Cross Site Scripting (XSS)

Software Download Attachments Type Plugin Vulnerable versions = 1.3 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-3230 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 7374cb764af8 Credits Krzysztof Zając Require...

Download Attachments <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Download Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'download-attachments' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

RHEL 7 : mailman (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - mailman: arbitrary content injection via the options login page CVE-2020-12108 - mailman: XSS via file...

RHEL 9 : xdg-utils (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments...

CVE-2024-35224 Stored Cross-Site Scripting (XSS) in OpenProject

OpenProject is the leading open source project management software. OpenProject utilizes tablesorter inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via icon substitution in table header values. This attack requires the permissions "Edit work package...

CVE-2024-3609

CVE-2024-3609 affects the ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin. A missing capability check in reviewx_remove_guest_image across versions up to 1.6.27 allows authenticated users with subscriber access and above to delete attachments, enabling data deletion. Wordfence/Wo...

PT-2024-26226 · Eramba · Eramba

Name of the Vulnerable Software and Affected Versions: Eramba Community versions prior to 3.22.0 Description: A bug was found in the /attachments/attachments/download/ API endpoint, allowing arbitrary file download due to a lack of user permission checks. This issue is related to an Insecure Dire...

PT-2024-4831 · Apple · Ios +1

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 17.5 iPadOS versions prior to 17.5 Description: A privacy issue was addressed with improved handling of temporary files. This issue may allow an app to access Notes attachments, potentially revealing protected informatio...

RHEL 7 : xdg-utils (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - xdg-utils: local file inclusion vulnerability CVE-2020-27748 - xdg-utils: improper parse of mailto URIs...

CVE-2021-35002

BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of...

CVE-2021-35002 BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability

BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of...

CVE-2021-35002 BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability

BMC Track-It! Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of...

CVE-2021-35002

CVE-2021-35002 (BMC Track-It!) involves an unvalidated processing path for email attachments in Track-It!, enabling an attacker to upload arbitrary files and execute code in the service account context. Affected software is BMC Track-It! (Track-It! helpdesk/asset management product). The root cau...

CVE-2024-23188

Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users...

PT-2024-19704 · Open Xchange Gmbh +1 · Ox App Suite +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the user's browser session. Common user...

CVE-2024-3606

The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pmuploadcoverimage function in all versions up to, and including, 5.8.3. This makes it possible for authenticated...

PT-2024-26871 · WordPress · Profilegrid

Name of the Vulnerable Software and Affected Versions: The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress versions up to, and including, 5.8.3 Description: The issue is related to a missing capability check on the pm upload cover image function, allowing...

FBI warns online daters to avoid &#8220;free&#8221; online verification schemes that prove costly

The FBI has warned of fraudsters targeting users of dating websites and apps with “free” online verification service schemes that turn out to be very costly. Instead of being free, as advertised, the verification schemes involve steep monthly subscription fees, and will steal personal information...

Debian dla-3801 : emacs - security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3801 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3801-1 [email protected]...