172 matches found
Malicious code in embeds (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 46ae6a18503196c40e7fd1759d8a68025e6a980a64821c2a1232b7f76fbc2779 Importing a module starts downloading and executing an infostealer, widely identified by AV/sandboxes. --- Category: MALICIOUS - The campaign has clearly...
Malicious code in djs-embeds-v2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 86831222f9b0a818e862c2db4a2e7f56259e7bae31f417c9464d2c19cb67dadb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2024-1285 Malicious code in djs-embeds-v2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 86831222f9b0a818e862c2db4a2e7f56259e7bae31f417c9464d2c19cb67dadb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
GHSA-5359-PVF2-PW78 TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload. Fix TinyMCE 6.8.1 introduced a new convertunsafeembeds opti...
Cross-site Scripting (XSS)
Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS when loading SVG files via object or embed elements. Workaround This vulnerability can be avoided by simulating the functionality of the...
PT-2024-23105
Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 6.8.1 TinyMCE versions prior to 7.0.0 Description A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed...
BIT-WORDPRESS-2020-28033
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed...
BIT-WORDPRESS-MULTISITE-2020-28033
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed...
CVE-2023-4799
The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
Cross site scripting
The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2023-4799
CVE-2023-4799 – Magic Embeds WordPress plugin : The vulnerability affects versions before 3.1.2 (plugin prior to 3.1.2) where shortcode attributes are not properly validated/escaped before output in pages/posts. This can enable a contributor+ user to perform Stored Cross-Site Scripting via the pl...
CVE-2023-4799 Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode
The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WordPress Plugin Magic Embeds Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on PHP and MySQL servers.WordPress plugin is an...
PT-2023-30662 · WordPress · Magic Embeds
Name of the Vulnerable Software and Affected Versions: The Magic Embeds WordPress plugin versions prior to 3.1.2 Description: The issue concerns a lack of validation and escaping of certain shortcode attributes in the plugin, which could allow users with the contributor role and above to perform...
WordPress Magic Embeds Plugin <= 3.1.1 is vulnerable to Cross Site Scripting (XSS)
Software Magic Embeds Type Plugin Vulnerable versions = 3.1.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-4799 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 630b7a6e83b9 Credits Dmitrii Ignatyev Required...
Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 3.1.1 - fbplugin video...
WordPress Disable Emojis & Disable Embeds for WordPress Performance & SpeedUp Plugin <= 1.4.5 is vulnerable to Cross Site Scripting (XSS)
Software Disable Emojis & Disable Embeds for WordPress Performance & SpeedUp Type Plugin Vulnerable versions = 1.4.5 Fixed in 1.5.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID...
XSS vulnerabilities via various embeds
Description JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document. Proof of Concept PoC file is different for each vulnerable embed. See...
CVE-2022-25276
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities...
CVE-2023-29196
Discourse is an open source platform for community discussion. This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker succeeds in...