Lark Technologies: Removed user can still view comments on the file/documents.

A vulnerability was found using a message API endpoint which could have resulted in a user being able to retrieve comments from a document after being removed. We thank @imrannisar for reporting this to our team...

Edit Comments <= 0.3 - Reflected Cross-Site Scripting

The plugin does not sanitise, validate or escape the jaleditcomments GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue Post a comment on a page, then open https://example.com//?jaleditcomments=?jaleditcomments="alert/XSS/...

Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager

✍️ Description I found a stored XSS in your project which is lead by adding comments when creating landlord due to improper sanitization. 🕵️‍♂️ Proof of Concept Steps to reproduce: 1. Create a Landlord. 2. Enter x''' in the comments. 3. Save and you will see prompt. 💥 Impact This vulnerability is...

Cross site scripting

Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,...

CVE-2021-28977

Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,...

Design/Logic Flaw

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhgvcs that allowed the comments of non-published...

Design/Logic Flaw

The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user even unauthenticated to add unlimited like/dislike to any comment. The plugin appears to have som...

Comments Like Dislike < 1.1.4 - Add Like/Dislike Bypass

The plugin allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user even unauthenticated to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie...

WordPress Comments Like Dislike plugin <= 1.1.3 - Repeated Voting Restriction Bypass vulnerability

Repeated Voting Restriction Bypass vulnerability discovered by Phu Tran in WordPress Comments Like Dislike plugin versions = 1.1.3. Solution Update the WordPress Comments Like Dislike plugin to the latest available version at least 1.1.4...

CVE-2020-23689

CVE-2020-23689 affects YFCMF v2.3.1, with a stored cross-site scripting (XSS) vulnerability in the news page comments. The issue is evidenced across multiple sources (NVD entry and Red Hat/OSS references) noting a stored XSS in the comments section. The CVSS data indicates a medium severity (CVSS...

Textpattern CMS 4.8.4 Cross Site Scripting

Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting XSS Date: 2021-03-04 Exploit Author: Tushar Vaidya Vendor Homepage: https://textpattern.com Software Link: https://textpattern.com/start Version: v 4.8.4 Tested on: Windows Steps-To-Reproduce: 1. Login into...

Textpattern CMS 4.8.4 - (Comments) Persistent Cross-Site Scripting Vulnerability

Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting XSS Exploit Author: Tushar Vaidya Vendor Homepage: https://textpattern.com Software Link: https://textpattern.com/start Version: v 4.8.4 Tested on: Windows Steps-To-Reproduce: 1. Login into Textpattern CMS admin...

Invision Community 跨站脚本漏洞

IPS Community Suite is an Internet community software produced mainly by Invision Power Services, which is written in PHP and uses MySQL as a database management system. Versions of IPS Community Suite prior to 4.5.4.2 are vulnerable to a cross-site scripting vulnerability during a quoted post or...

CVE-2020-7776

CVE-2020-7776 affects phpoffice/phpspreadsheet (0.0.0 and earlier): the HTML writer concatenates user comments into links when exporting to HTML from an Excel file, enabling XSS in HTML output. Root cause: HTML writer handling of cell comments. A fix is available in commit 0ed5b800be2136bcb8fa9c1...

CVE-2020-25286

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public...

CVE-2020-25286

The CVE-2020-25286 issue affects WordPress core, specifically wp-includes/comment-template.php, present in WordPress versions before 5.4.2. The vulnerability allows comments from non-public posts/pages to appear in the latest comments, exposing potentially sensitive discussions. The root cause is...

CVE-2020-25286

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public...

Schneier.com is Moving

I'm switching my website software from Movable Type to Wordpress, and moving to a new host. The migration is expected to last from approximately 3 AM EST Monday until 4 PM EST Tuesday. The site will still be visible during that time, but comments will be disabled. This is to prevent any new...

Hardcodes - Find Hardcoded Strings From Source Code

hardcodes is a utility for searching strings hardcoded by developers in programs. It uses a modular tokenizer that can handle comments, any number of backslashes & nearly any syntax you throw at it. Yes, it is designed to process any syntax and following languages are officially supported: ada,...

Schneier.com is Moving

Im switching my website software from Movable Type to WordPress, and moving to a new host. The migration is expected to last from approximately 3 AM EST Monday until 4 PM EST Tuesday. The site will still be visible during that time, but comments will be disabled. This is to prevent any new commen...