CVE-2021-43785

CVE-2021-43785 affects the @joeattardi/emoji-button Vanilla JavaScript emoji picker. The vulnerability comprises two XSS vectors: (1) a URL used for a custom emoji and (2) an i18n string. In affected versions, crafted values can cause a script tag to be inserted into the HTML, enabling malicious ...

Emoji-Button 跨站脚本漏洞

Emoji-Button is a native JavaScript emoji selector. emoji-Button is vulnerable to a cross-site scripting vulnerability that stems from the lack of effective filtering and validation of URLs and i18n strings in the software for custom emoji, which could be exploited by an attacker to craft an inpu...

WordPress Like Button Rating plugin <= 2.6.37 - Unauthorized Vote Export to Email & IP Addresses Disclosure vulnerability

Unauthorized Vote Export to Email & IP Addresses Disclosure vulnerability discovered by Krzysztof Zając in WordPress Like Button Rating plugin versions = 2.6.37. Solution Update the WordPress Like Button Rating plugin to the latest available version at least 2.6.38...

Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure

The plugin does not have any authorisation and CSRF checks in the likebtnexportvotes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. fetch"http://example.com/wp-admin/admin-ajax.php",...

Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure

The plugin does not have any authorisation and CSRF checks in the likebtnexportvotes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog. PoC fetch"http://example.com/wp-admin/admin-ajax.php",...

OPENSUSE-SU-2021:1434-1 Security update for opera

This update for opera fixes the following issues: Opera was updated to version 80.0.4170.63 - CHR-8612 Update chromium on desktop-stable-94-4170 to 94.0.4606.81 - DNA-95434 Crash at opera::ThemesService::UpdateCurrentTheme - The update to chromium 94.0.4606.81 fixes following issues:...

CVE-2021-24572

The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could...

CVE-2021-24570

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of t...

Cross site scripting

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of t...

PT-2021-16087 · WordPress · Accept Donations With Paypal

Name of the Vulnerable Software and Affected Versions: Accept Donations with PayPal WordPress plugin versions prior to 1.3.1 Description: The issue is related to a lack of CSRF check in the process of creating new donation buttons, which are internally treated as posts. This allows an attacker to...

Security update for opera (important)

openSUSE Security Update: Security update for opera Announcement ID: openSUSE-SU-2021:1433-1 Rating: important References: Cross-References: CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 Affected Products: openSUSE Leap 15.2:NonFree An...

Security update for opera (important)

openSUSE Security Update: Security update for opera Announcement ID: openSUSE-SU-2021:1434-1 Rating: important References: Cross-References: CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 Affected Products: openSUSE Leap 15.3:NonFree An...

Paypal Donation < 1.3.2 - Admin+ Stored Cross-Site Scripting

The plugin does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. Create/Edit a Button and put the following payload in the Amount Menu Name field...

Cross site scripting

Cross SIte Scripting XSS vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor the file suffix is allowed...

Similar Posts < 3.1.6 - Admin+ Arbitrary PHP Code Execution

The plugin allow high privilege users to execute arbitrary PHP code in an hardened environment ie with DISALLOWFILEEDIT, DISALLOWFILEMODS and DISALLOWUNFILTEREDHTML set to true via the 'widgetrrmsimilarpostscondition' widget setting of the plugin. Vendor was notified in July 2021, the issue was...

October 5, 2021, update for Outlook 2016 (KB5001998)

October 5, 2021, update for Outlook 2016 KB5001998 This article describes update 5001998 for Microsoft Outlook 2016 that was released on October 5, 2021.Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer .msi-based edition of Office 2016. It doesn't apply...

in snipe/snipe-it

Description Sensitive data on the application can be exposed after the user logout Proof of Concept 1 Login to the application https://demo.snipeitapp.com/ 2 Goto page like My Account , or Any other page 3 Click logout 4 Click browser back button Impact When a user logs out without closing the...

CVE-2021-41878

A reflected cross-site scripting XSS vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button...

CVE-2021-41878

A reflected cross-site scripting XSS vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button...

Cross site scripting

A reflected cross-site scripting XSS vulnerability exists in the i-Panel Administration System Version 2.0 that enables a remote attacker to execute arbitrary JavaScript code in the browser-based web console and it is possible to insert a vulnerable malicious button...