CVE-2022-22791

SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the "comments" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system...

Design/Logic Flaw

SYNEL - eharmony Authenticated Blind & Stored XSS. Inject JS code into the "comments" field could lead to potential stealing of cookies, loading of HTML tags and JS code onto the system...

Design/Logic Flaw

The Stars Rating WordPress plugin before 3.5.1 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated...

CVE-2021-39918

Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed...

CVE-2021-39918

CVE-2021-39918 – GitLab EE is affected by an Incorrect Authorization issue. It affects GitLab EE on all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2. The impact is that a user can add comments to a vuln...

WordPress Stars Rating plugin <= 3.5.0 - Comments Denial of Service (DoS) vulnerability

Comments Denial of Service DoS vulnerability discovered by Drew Jones in WordPress Stars Rating plugin versions = 3.5.0. Solution Update the WordPress Stars Rating plugin to the latest available version at least 3.5.1...

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Description Very low severity CSRF in /comments/thanks/id Proof of Concept CLICK ME! Impact This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set...

WordPress Plugin Cross-Site Request Forgery Vulnerability (CNVD-2021-101474)

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the hosting of personal blog sites on PHP and MySQL servers. WordPress Plugin is a WordPress open source application plugin. cross-site request forgery vulnerability exists in...

CVE-2021-24806

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make...

Cross site request forgery (csrf)

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make...

Cross site request forgery (csrf)

The Delete All Comments Easily WordPress plugin through 1.3 is lacking Cross-Site Request Forgery CSRF checks, which could result in an unauthenticated attacker making a logged in admin delete all comments from the blog...

CVE-2021-25969

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment...

CVE-2021-24737 Comments - wpDiscuz <= 7.3.0 - Admin+ Stored Cross-Site Scripting

The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...

CVE-2021-36175

An improper neutralization of input vulnerability CWE-79 in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device...

CVE-2021-40105

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments...

Design/Logic Flaw

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments...

CVE-2021-40105

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments...

Session fixation

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"...

CVE-2021-32839

sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. On...

Cross site request forgery (csrf)

The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments...