WP Sticky Button < 1.4.1 - Unauthenticated Arbitrary Settings Update to Stored XSS

The plugin does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues fetch"/wp-admin/admin-ajax.php", "headers": "content-type":...

WordPress WP Sticky Button plugin <= 1.4.0 - Unauthenticated Arbitrary Settings Update vulnerability leading to Stored Cross-Site Scripting (XSS)

Unauthenticated Arbitrary Settings Update vulnerability leading to Stored Cross-Site Scripting XSS discovered by Krzysztof Zając in WordPress WP Sticky Button plugin versions = 1.4.0. Solution Update the WordPress WP Sticky Button – Click to Chat plugin to the latest available version at least...

Button Plugin MaxButtons < 9.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

July 19, 2022—KB5015879 (OS Build 20348.859) Preview

July 19, 2022—KB5015879 OS Build 20348.859 Preview For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out...

CVE-2022-1912

The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbuttonsettings page. This makes it possible for unauthenticated attackers to update the plugins settings an...

CVE-2022-1912

The CVE-2022-1912 entry concerns the WordPress plugin Button Widget Smartsoft, affecting versions up to and including 1.0.1. The underlying issue is missing nonce validation on the smartsoftbutton_settings page, enabling CSRF. This allows unauthenticated attackers to update the plugin’s settings ...

CVE-2022-1912 Button Widget Smartsoft <= 1.0.1 - Cross-Site Request Forgery to Cross-Site Scripting

The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbuttonsettings page. This makes it possible for unauthenticated attackers to update the plugins settings an...

WordPress plugin Button Widget Smartsoft 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

Login schema unable to be configured and the SELECT button grayed out

When configuring nFactor authentication, user is unable to select login schema xml in GUI page. The "SELECT" button is greyed out. Like below screenshot...

admin-tool-button (>=1.0.1a0 <=1.0.5a0), aimmo (>=2.0.0 <=2.4.0) +87 more potentially affected by CVE-2022-34265 via django (>=3.2.0 <=3.2.13)

django PYPI version =3.2.0, =1.0.1a0, =2.0.0, =0.2.0, =22.0.0.dev21, =22.0.0.dev13, =22.0.0.dev29, =6.0.0, =6.0.0, =1.1.0, =1.1.1 - common-framework =2021.4.1 - directory-constants =21.3.0 and more Source cves: CVE-2022-34265 Source advisory: OSV:GHSA-P64X-8RXX-WF6Q...

admin-tool-button (>=1.0.1a0 <=1.0.5a0), aimmo (>=2.0.0 <=2.4.0) +87 more potentially affected by CVE-2022-34265 via django (>=3.2.0 <=3.2.13)

django PYPI version =3.2.0, =1.0.1a0, =2.0.0, =0.2.0, =22.0.0.dev21, =22.0.0.dev13, =22.0.0.dev29, =6.0.0, =6.0.0, =1.1.0, =1.1.1 - common-framework =2021.4.1 - directory-constants =21.3.0 and more Source cves: CVE-2022-34265 Source advisory: OSV:PYSEC-2022-213...

Name Directory < 1.25.3 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well alert/XSS/" /...

Toll fraud malware: How an Android application can drain your wallet

Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware – and it continues to evolve. Compared to other subcategories of billing fraud, which...

Joy ebike Wolf 安全漏洞

Joy ebike Wolf is an electric scooter from Joy ebike India. A security vulnerability exists in Joy ebike Wolf Manufacturing. A remote attacker could exploit the vulnerability to deny the vehicle lock button and remain unlocked...

Jenkins Cross-Site Scripting Vulnerability (CNVD-2022-65927)

Jenkins is a Jenkins open source application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins versions 2.340 through 2.355 contain a cross-site scripting vulnerability that stems from the tooling of the build...

GHSA-6G4R-Q7QG-6QX6 Cross-site Scripting vulnerability in Jenkins

Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356 addresses this vulnerability. The tooltip of the build button in list vie...

CVE-2022-34173

In Jenkins 2.340 through 2.355 both inclusive the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...

Jenkins 跨站脚本漏洞

Jenkins is a Jenkins open source application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins versions 2.340 through 2.355 contain a cross-site scripting vulnerability that stems from the tooling of the build...

PT-2022-22040 · Jenkins · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.340 through 2.355 Description: The tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting XSS vulnerability. This issue is exploitable by attackers...

MAL-2022-4622 Malicious code in mitui-comp-follow-button (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1ec2258f4ac3890208ab0a86cfa7870e80a344822c1754abc483caa4d7aede97 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...