CVE-2024-32877

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...

CVE-2024-32472

excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as...

CVE-2024-1392

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button1icon' attribute of the Dual Button widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2024-1988

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute in blocks in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output...

CVE-2024-1841

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or...

CVE-2024-11196

The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mctagmap shortcode in all versions up to, and including, 17.0.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-22405

XADMaster is an objective-C library for archive and file unarchiving and extraction. When extracting a specially crafted zip archive XADMaster may not apply quarantine attribute correctly. Such behaviour may circumvent Gatekeeper checks on the system. Only macOS installations are affected. This...

CVE-2024-44575

RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session...

CVE-2023-28853

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection...

CVE-2023-0631

The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query...

CVE-2023-26158

All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, o...

CVE-2023-34085

When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request...

CVE-2023-38363

IBM CICS TX Advanced 10.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the...

CVE-2023-46789

Online Matrimonial Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'filename' attribute of the 'pic1' multipart parameter of the functions.php resource does not validate the characters received and they are sent unfiltered to the database...

CVE-2023-28439

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages ...

CVE-2023-39296

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the...

CVE-2023-45955

An issue discovered in Nanoleaf Light strip v3.5.10 allows attackers to cause a denial of service via crafted write binding attribute commands...

CVE-2023-41908

Cerebrate before 1.15 lacks the Secure attribute for the session cookie...

CVE-2023-40261

Diebold Nixdorf Vynamic Security Suite VSS before 3.3.0 SR17, 4.0.0 SR07, 4.1.0 SR04, 4.2.0 SR04, and 4.3.0 SR02 fails to validate file attributes during the Pre-Boot Authorization PBA process. This can be exploited by a physical attacker who is able to manipulate the contents of the system's har...

CVE-2023-37302

An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate from resources/wikibase/templates.js for quotes which can be in a title attribute...