6611 matches found
JWT URL-login flow leaks token to data sources through request parameter in proxy requests
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the “urllogin” configuration option disabled by default, a...
CVE-2023-24005
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Winwar Media Inline Tweet Sharer – Twitter Sharing Plugin plugin = 2.5.3 versions...
CVE-2023-23710
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in miniOrange WordPress Social Login and Register Discord, Google, Twitter, LinkedIn plugin = 7.5.14 versions...
CVE-2023-24005 WordPress Inline Tweet Sharer – Twitter Sharing Plugin Plugin <= 2.5.3 is vulnerable to Cross Site Scripting (XSS)
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Winwar Media Inline Tweet Sharer – Twitter Sharing Plugin plugin = 2.5.3 versions...
CVE-2023-24005
Affects WordPress plugin WordPress Inline Tweet Sharer – Twitter Sharing Plugin (Plugin
CVE-2023-23710
The CVE-2023-23710 entry concerns the miniOrange WordPress Social Login and Register plugin (Discord, Google, Twitter, LinkedIn) with versions
CVE-2023-23866
The CVE-2023-23866 entry concerns the WordPress plugin Interactive Geo Maps (Carlos Moreira) ≤ 1.5.8, with a Stored Cross-Site Scripting (XSS) flaw caused by inadequate escaping/validation of shortcode attributes. This allows contributors (and higher) to inject scripts that are persisted in pages...
CVE-2023-23889 WordPress Quick Paypal Payments Plugin <= 5.7.25 is vulnerable to Cross Site Scripting (XSS)
Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Fullworks Quick Paypal Payments plugin = 5.7.25 versions...
Cross site scripting
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in George Pattihis Link Juice Keeper plugin = 2.0.2 versions...
CVE-2023-25461
CVE-2023-25461 affects namithjawahar Wp-Insert plugin
CVE-2023-25793
CVE-2023-25793 describes a stored XSS vulnerability in the WordPress plugin Link Juice Keeper, affecting versions
CVE-2023-25793 WordPress Link Juice Keeper Plugin <= 2.0.2 is vulnerable to Cross Site Scripting (XSS)
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in George Pattihis Link Juice Keeper plugin = 2.0.2 versions...
CVE-2023-25484
CVE-2023-25484 affects the WordPress plugin Simple Yearly Archive (Oliver Schlöbe) up to version 2.1.8. It is a Stored XSS vulnerability that requires admin+ authentication to exploit. Public sources specify the vulnerable component as the plugin’s code handling user input, with the impact descri...
Cross site scripting
Auth subscriber+ Reflected Cross-Site Scripting XSS vulnerability in Macho Themes Regina Lite theme = 2.0.7 versions...
CVE-2023-25490
CVE-2023-25490 concerns the WordPress plugin Archivist – Custom Archive Templates (versions
CVE-2023-25710
CVE-2023-25710 affects the WordPress plugin DigitalBLUE Click to Call or Chat Buttons up to version 1.4.0. The issue is a Stored Cross-Site Scripting (XSS) vulnerability requiring admin+ privileges. The root cause is an XSS flaw stored in the plugin, with impact limited to confidentiality and int...
Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
!/bin/bash Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection Exploit Author: Behnam Abasi Vanda Vendor Homepage: https://www.sophos.com Version: Sophos Web Appliance older than version 4.3.10.4 Tested on: Ubuntu CVE : CVE-2023-1671 Shodan Dork: title:"Sophos Web Appliance"...
CVE-2022-40482
The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a us...
Sophos Web Appliance 4.3.10.4 - Pre-auth command injection Exploit
!/bin/bash Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection Exploit Author: Behnam Abasi Vanda Vendor Homepage: https://www.sophos.com Version: Sophos Web Appliance older than version 4.3.10.4 Tested on: Ubuntu CVE : CVE-2023-1671 Shodan Dork: title:"Sophos Web Appliance"...
CVE-2022-41612
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Shareaholic Similar Posts plugin = 3.1.6 versions...