PT-2022-17286 · WordPress · The Visual Portfolio

Name of the Vulnerable Software and Affected Versions: The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin versions prior to 2.18.0 Description: The issue concerns a lack of proper authorization checks in some REST endpoints of the plugin, allowing unauthenticated users to call these...

WordPress plugin Visual Portfolio 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on PHP and MySQL servers.WordPress plugin is an...

WordPress plugin Visual Portfolio 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on PHP and MySQL servers.WordPress plugin is an...

Mageia: Security Advisory (MGASA-2022-0300)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated thunderbird packages fix security vulnerability

Mouse Position spoofing with CSS transforms. CVE-2022-36319 Directory indexes for bundled resources reflected URL parameters. CVE-2022-36318...

Gnome Shell, gettext, libcroco: Multiple Vulnerabilities

Background GNOME Shell provides core user interface functions for the GNOME desktop, like switching to windows and launching applications. gettext contains the GNU locale utilities. libcroco is a standalone CSS2 parsing and manipulation library. Description The crparserparseanycore function in...

Malicious code in gulpclan-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a03276930e88f02d43c1c267bcfed61c9d100fce5a37591b85fb28b2456b747 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3509 Malicious code in gulpclan-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a03276930e88f02d43c1c267bcfed61c9d100fce5a37591b85fb28b2456b747 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in clbena-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c44b45542f156a9889a2159c4934ecedc85ce7030da5b313b9695f561c67fe8e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-1913 Malicious code in clbena-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c44b45542f156a9889a2159c4934ecedc85ce7030da5b313b9695f561c67fe8e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts The postid is the ID of a saved layout...

Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts PoC The postid is the ID of a saved layout...

WordPress Visual Portfolio Plugin <= 2.18.0 - Authenticated CSS Injection vulnerability

Authenticated CSS Injection vulnerability discovered by Krzysztof Zając in Visual Portfolio plugin versions = 2.18.0 Solution Update the WordPress Visual Portfolio, Photo Gallery & Post Grid plugin to the latest available version at least 2.19.0...

Visual Portfolio < 2.19.0 - Contributor+ CSS Injection

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts The postid is the ID of a saved layout As a contributor, get a REST nonce via...

Visual Portfolio < 2.19.0 - Contributor+ CSS Injection

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts PoC The postid is the ID of a saved layout As a contributor, get a REST nonce via...

WordPress Visual Portfolio Plugin <= 2.17.1 - Unauthenticated CSS Injection vulnerability

Unauthenticated CSS Injection vulnerability discovered by Krzysztof Zając in Visual Portfolio plugin versions = 2.17.1 Solution Update the WordPress Visual Portfolio, Photo Gallery & Post Grid plugin to the latest available version at least 1.18.0...

UI Redressing

Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...

Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Navigate to style settings:...

AlmaLinux 8 : thunderbird (5774) (ALSA-2022:5774)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2022:5774 advisory. - Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102. Some of these bugs showed evidence of memory...

AlmaLinux 8 : firefox (5777) (ALSA-2022:5777)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2022:5777 advisory. - Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102. Some of these bugs showed evidence of memory...