Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and...

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. Mozilla Firefox suffers from a denial of service vulnerability caused by an error when using certain WASM files in devtools. An attacker can exploit the vulnerability to cause the browser to crash...

WordPress Photo Gallery by 10Web Plugin <= 1.8.19 is vulnerable to Directory Traversal

Software Photo Gallery by 10Web Type Plugin Vulnerable versions = 1.8.19 Fixed in 1.8.20 OWASP Top 10 A4: Insecure Design Classification Directory Traversal CVE CVE-2024-0221 Patch priority Low CVSS severity Low 9.1 Developer Claim ownership PSID 29011d5256be Credits Bence Szalai Required privile...

WordPress ColorMag Theme <= 3.1.2 is vulnerable to Broken Access Control

Software ColorMag Type Theme Vulnerable versions = 3.1.2 Fixed in 3.1.3 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-0679 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID a03b90ac4c61 Credits Sean Murphy Required privilege...

pb-cms Cross-Site Scripting Vulnerability

pb-cms is a content management system by LinZhaoguan Individual Developer. A cross-site scripting vulnerability exists in LinZhaoguan pb-cms version 2.0, which originates from an unknown function in the component Comment Handler, which can lead to cross-site scripting using special input...

liuwy-dlsdys zhglxt Cross-Site Scripting Vulnerability

zhglxt is a web application by the Chinese liuwy-dlsdys individual developer. A cross-site scripting vulnerability exists in liuwy-dlsdys zhglxt version 4.7.7, which stems from the parameter notifyTitle in the file /oa/notify/edit that causes cross-site scripting...

WordPress WP-Lister Lite for eBay Plugin <= 3.5.7 is vulnerable to Cross Site Scripting (XSS)

Software WP-Lister Lite for eBay Type Plugin Vulnerable versions = 3.5.7 Fixed in 3.5.8 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-22307 Patch priority Medium CVSS severity Medium 7.1 Developer WP Lab PSID d2c57f837173 Credits Dimas Maulana Required privilege...

JVN#67215338: FusionPBX vulnerable to cross-site scripting

FusionPBX contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is logging in to the product. Solution Update the software Update the software to the latest version according to the information provided by the...

WordPress Posts List Designer by Category – List Category Posts Or Recent Posts Plugin <= 3.3.2 is vulnerable to Cross Site Scripting (XSS)

Software Posts List Designer by Category – List Category Posts Or Recent Posts Type Plugin Vulnerable versions = 3.3.2 Fixed in 3.3.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-23502 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID...

WordPress GeneratePress Premium Plugin <= 2.3.2 is vulnerable to Cross Site Scripting (XSS)

Software GeneratePress Premium Type Plugin Vulnerable versions = 2.3.2 Fixed in 2.4.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6807 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 846d3c0679d6 Credits Francesco Carlucci...

WordPress Ninja Tables Plugin <= 5.0.5 is vulnerable to Broken Access Control

Software Ninja Tables Type Plugin Vulnerable versions = 5.0.5 Fixed in 5.0.6 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-23504 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 86a45ee34ff9 Credits emad Required privilege...

WordPress WP Recipe Maker Plugin <= 9.1.0 is vulnerable to Cross Site Scripting (XSS)

Software WP Recipe Maker Type Plugin Vulnerable versions = 9.1.0 Fixed in 9.1.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-0384 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 782b4465ae79 Credits wesley wcraft Required...

WordPress Getwid – Gutenberg Blocks Plugin <= 2.0.4 is vulnerable to Bypass Vulnerability

Software Getwid – Gutenberg Blocks Type Plugin Vulnerable versions = 2.0.4 Fixed in 2.0.5 OWASP Top 10 A1: Broken Access Control Classification Bypass Vulnerability CVE CVE-2023-6963 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID cbf13618cdfb Credits Lucio Sá Required...

WordPress WP Recipe Maker Plugin <= 9.1.0 is vulnerable to Path Traversal

Software WP Recipe Maker Type Plugin Vulnerable versions = 9.1.0 Fixed in 9.1.1 OWASP Top 10 A1: Broken Access Control Classification Path Traversal CVE CVE-2024-0380 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 156eb3d878da Credits wesley wcraft Required privilege...

WordPress WP Recipe Maker Plugin <= 9.1.0 is vulnerable to Cross Site Scripting (XSS)

Software WP Recipe Maker Type Plugin Vulnerable versions = 9.1.0 Fixed in 9.1.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-6970 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 0948a26cff34 Credits wesley wcraft...

WordPress Slider by Supsystic Plugin <= 1.8.6 is vulnerable to Broken Access Control

Software Slider by Supsystic Type Plugin Vulnerable versions = 1.8.6 Fixed in 1.8.7 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-47330 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 5be1957d9f7e Credits Abdi Pranata Requir...

WordPress Albo Pretorio Online Plugin <= 4.6.6 is vulnerable to Cross Site Scripting (XSS)

Software Albo Pretorio Online Type Plugin Vulnerable versions = 4.6.6 Fixed in 4.7 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-22302 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 74619e1b53fd Credits Ngô Thiên An ancorn from VNPT-VCI...

WordPress Contact Form builder with drag & drop - Kali Forms Plugin <= 2.3.36 is vulnerable to Insecure Direct Object References (IDOR)

Software Contact Form builder with drag & drop - Kali Forms Type Plugin Vulnerable versions = 2.3.36 Fixed in 2.3.37 OWASP Top 10 A1: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2024-22305 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership...

WordPress WooCommerce Subscriptions Plugin < 5.8.0 is vulnerable to Broken Access Control

Software WooCommerce Subscriptions Type Plugin Vulnerable versions 5.8.0 Fixed in 5.8.0 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-50850 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 18ef9f3672af Credits Rafie Muhammad...

WordPress 12 Step Meeting List Plugin <= 3.14.28 is vulnerable to Broken Access Control

Software 12 Step Meeting List Type Plugin Vulnerable versions = 3.14.28 Fixed in 3.14.29 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-22296 Patch priority Low CVSS severity Low 4.3 Developer Code for Recovery PSID f23582f9bd35 Credits emad Required...