WordPress User Registration Plugin <= 3.1.4 is vulnerable to Cross Site Scripting (XSS)

Software User Registration Type Plugin Vulnerable versions = 3.1.4 Fixed in 3.1.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-1720 Patch priority Low CVSS severity Low 7.1 Developer Masteriyo PSID f3574c07a0a6 Credits stealthcopter Required...

WordPress Contact Form Entries Plugin <= 1.3.3 is vulnerable to Cross Site Scripting (XSS)

Software Contact Form Entries Type Plugin Vulnerable versions = 1.3.3 Fixed in 1.3.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-2030 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 5485073f02fc Credits Krzysztof Zając...

BIT-GITLAB-2022-1406

Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0 allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project...

BIT-GITLAB-2022-1423

Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading...

BIT-GITLAB-2022-1944

When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs...

BIT-SILVERSTRIPE-2020-25817

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity XXE attacks. When this developer utility is misused for purposes involving external or user submitted data in custom...

BIT-JASPERREPORTS-2022-41563

The Dashboard component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for Microsoft Azure,...

WordPress Post Grid, Slider & Carousel Ultimate Plugin <= 1.6.7 is vulnerable to PHP Object Injection

Software Post Grid, Slider & Carousel Ultimate Type Plugin Vulnerable versions = 1.6.7 Fixed in 1.6.8 OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-2006 Patch priority Low CVSS severity Low 8.5 Developer Claim ownership PSID ef206ea07872 Credits Francesco Carlucci...

WordPress FluentForm Plugin <= 5.1.9 is vulnerable to Cross Site Scripting (XSS)

Software FluentForm Type Plugin Vulnerable versions = 5.1.9 Fixed in 5.1.10 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6957 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID ac30a92484ee Credits drop Required privilege...

This Week in Spring - March 5th, 2024

Hi, Spring fans! Welcome to another exciting roundup of This Week in Spring! I expect many of you are reading this for the first time, especially with Facebook and Instagram being down. People have been exploring all the other lesser-known corners of the web, looking for their daily "doom scroll....

WordPress Event Tickets Plugin < 5.8.1 is vulnerable to Broken Access Control

Software Event Tickets Type Plugin Vulnerable versions 5.8.1 Fixed in 5.8.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-1316 Patch priority Low CVSS severity Low 4.3 Developer Liquid Web / StellarWP PSID dbfa94357fe1 Credits Scott Kingsley Clark Requir...

Amazon Linux 2 : libuv (ALAS-2024-2474)

The version of libuv installed on the remote host is prior to 1.39.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2474 advisory. libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and...

WordPress GenerateBlocks Plugin <= 1.8.2 is vulnerable to Sensitive Data Exposure

Software GenerateBlocks Type Plugin Vulnerable versions = 1.8.2 Fixed in 1.8.3 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-1452 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 17b91c2bc914 Credits Webbernaut Required privile...

Medium: libuv

Issue Overview: libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to...

WordPress SportsPress – Sports Club & League Manager Plugin <= 2.7.17 is vulnerable to Broken Access Control

Software SportsPress – Sports Club & League Manager Type Plugin Vulnerable versions = 2.7.17 Fixed in 2.7.18 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-1178 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID f2c7c572664c Credits...

WordPress Easy!Appointments Plugin <= 1.3.1 is vulnerable to Cross Site Scripting (XSS)

Software Easy!Appointments Type Plugin Vulnerable versions = 1.3.1 Fixed in 1.3.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0698 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID f1c6efbf20ae Credits wesley wcraft Required...

WordPress Blue Triad EZAnalytics Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)

Software Blue Triad EZAnalytics Type Plugin Vulnerable versions = 1.0 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-1782 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 505430cf135b Credits WordFence...

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. Patches The algorithm to detect SQL injection has been improved. Workarounds None. References - https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 -...

WordPress Finale Lite Plugin <= 2.17.0 is vulnerable to Broken Access Control

Software Finale Lite Type Plugin Vulnerable versions = 2.17.0 Fixed in 2.18.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-1120 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 383bdaaeaeac Credits Francesco Carlucci Required...

WordPress Calculated Fields Form Plugin 5.0.0-5.1.56 is vulnerable to Cross Site Scripting (XSS)

Software Calculated Fields Form Type Plugin Vulnerable versions 5.0.0-5.1.56 Fixed in 5.1.57 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-2020 Patch priority Medium CVSS severity Medium 7.2 Developer Claim ownership PSID f60c98fd9fe8 Credits Asaf...