558 matches found
CVE-2020-19007
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. The javascript code supplied by the attacker will then execute in the victim user's browser...
Mail.ru: Возможность просмотра коментариев к чужим обращениям [corporate.city-mobil.ru]
IDOR vulnerability in corporate.city-mobil.ru interface allowed to access a feedback comments of a different users...
Phabricator: Edit Policy restriction does not prevent comments.
Change the edit policy of a Maniphest Task - Attempt to comment on the the task with a user who doesn't have access Impact Given a few users I spoke to believe restricting the edit policy blocks comments, This allows an underpriveleged user to gain access to carry out a restrcited action. Mongoos...
WordPress: CSRF on comment post
Hi Wordpress, I just found an CSRF on comment post. It allow attacker make victim comments on a post. Steps To Reproduce: Attacker send to victim a link with content below: history.pushState'', '', '/' Video poc: F891759 Impact Attacker make victim comments on a post...
PT-2020-16064 · WordPress · Wordpress
Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 5.4.2 Description: In WordPress, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. This issue is related to the comment-template.php file in the...
Fedora 31 : wordpress (2020-bbedd29391)
WordPress 5.4.2 Security and Maintenance Release This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixessee the list below. These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so youll want to upgrade. Securi...
PHP-Fusion 9.03.60 PHP Object Injection / SQL Injection Exploit
Exploit for php platform in category web applications Exploit Title: PHP-Fusion v9.03.60, PHP Object Injection to SQL injection pre-auth Exploit Author: coiffeur Vendor Homepage: https://www.php-fusion.co.uk/home.php Software Link: https://www.php-fusion.co.uk/phpfusion9downloads.php Version:...
WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments
Description Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions...
Cross-Site Scripting (XSS)
ssddanbrown/bookstack is vulnerable to cross-site scripting XSS. Lack of validation and sanitization allows a remote attacker to inject and execute arbitrary Javascript in a user's browser via the comments...
Cross-Site Scripting in BookStack
Impact A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machine...
GHSA-5VF7-Q87H-PG6W Cross-Site Scripting in BookStack
Impact A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machine...
RGhost: Idor on the DELETE /comments/
Summary: Idor on /comments Steps To Reproduce: Make sure you have 2 different ID's to maintain 2 different session for ensurity 1. The request can be tamper with the ID of different comment both the functions of edit/delete can be used 2. Delete gets hampered with the Captcha which is thrown but...
Mail.ru: Cross-Site Request Forgery (CSRF) in my.games API
CSRF vulnerability allowed to add/delete/edit store.my.games comments...
CVE-2020-10975
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page...
CVE-2020-10975
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page...
CVE-2020-10975
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page...
Cross site request forgery (csrf)
CSRF in admin/manage-comments.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to disapprove any comment, given the id, via a crafted request...
CVE-2019-13004
An issue was discovered in GitLab Community and Enterprise Edition 11.10 through 12.0.2. When specific encoded characters were added to comments, the comments section would become inaccessible. It has Incorrect Access Control issue 1 of 2...
Authorization
An issue was discovered in GitLab Community and Enterprise Edition 11.9 and later through 12.0.2. GitLab Snippets were vulnerable to an authorization issue that allowed unauthorized users to add comments to a private snippet. It allows authentication bypass...
CVE-2019-13004
Removed by vendor...