2124 matches found
CVE-2024-1070
CVE-2024-1070 concerns the SiteOrigin Widgets Bundle plugin for WordPress. It describes a Stored XSS via the features attribute in all versions up to 1.58.2 caused by insufficient input sanitization and output escaping. The vulnerability permits authenticated attackers with contributor+ privilege...
Host Header Injection
pimcore/admin-ui-classic-bundle is vulnerable to Host Header Injection. The vulnerability is caused due to unsafely using the host header from incoming HTTP requests when generating URLs in the function invitationLinkAction within UserController.php , specifically in the way $loginUrl trusts user...
CVE-2024-25625
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in pimcore/admin-ui-classic-bundle prior to version 1.3.4. The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController,...
Design/Logic Flaw
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in pimcore/admin-ui-classic-bundle prior to version 1.3.4. The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController,...
CVE-2024-25625 Pimcore Host Header Injection in user invitation link
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in pimcore/admin-ui-classic-bundle prior to version 1.3.4. The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController,...
CVE-2024-25625
Pimcore Admin UI Classic Bundle (prior to 1.3.4) is vulnerable to Host Header Injection via the invitationLinkAction in UserController. The login URL is built using unvalidated host headers when generating $loginUrl, allowing an attacker to inject a malicious domain into invitation emails and ena...
CVE-2024-0037
creationtimestamp| type| source ---|---|--- 2024-02-16 03:21:58+00:00| seen| https://t.me/ctinow/186089 2025-02-03 19:33:09+00:00| seen| https://vulnerability.circl.lu/bundle/cf59c148-4047-4ccd-8ba0-26fb7197899c...
WordPress Email Encoder Bundle Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)
Software Email Encoder Bundle Type Plugin Vulnerable versions = 2.2.0 Fixed in 2.2.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-1282 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID db2eb8d78c8d Credits Richard Telleng...
SiteOrigin Widgets Bundle < 1.58.3 - Contributor+ Stored Cross-Site Scripting
Description The plugin is vulnerable to Stored Cross-Site Scripting via the code editor due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to perform Stored XSS attacks...
Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
Impact You can create, delete etc. tags without having the permission to do so. This vulnerability allows an attacker to perform broken access control and add tags to admin panel and add dumy data. One can do this as intruder and add text parameters with random numbers and this will effect...
GHSA-3RFR-MPFJ-2JWQ Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
Impact You can create, delete etc. tags without having the permission to do so. This vulnerability allows an attacker to perform broken access control and add tags to admin panel and add dumy data. One can do this as intruder and add text parameters with random numbers and this will effect...
Code injection
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually...
CVE-2024-24822 Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually...
CVE-2024-24822 Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually...
CVE-2024-24822
Pimcore Admin Classic Bundle (pre-1.3.3) is affected by CVE-2024-24822 due to broken access control in tag management. An attacker can create, delete, and modify tags without proper permissions. A fix is available in version 1.3.3; patch can be applied manually via the referenced PR.
CVE-2024-24822 Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually...
CVE-2024-0961
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access ...
Cross site scripting
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access ...
CVE-2024-0961
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access ...
CVE-2024-0961 SiteOrigin Widgets Bundle <= 1.58.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the code editor in all versions up to, and including, 1.58.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access ...