Lucene search
K

172 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2024/09/04 9:25 p.m.5 views

Malicious code in embeds (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 46ae6a18503196c40e7fd1759d8a68025e6a980a64821c2a1232b7f76fbc2779 Importing a module starts downloading and executing an infostealer, widely identified by AV/sandboxes. --- Category: MALICIOUS - The campaign has clearly...

7.1AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2024/04/22 6:18 a.m.3 views

Malicious code in djs-embeds-v2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 86831222f9b0a818e862c2db4a2e7f56259e7bae31f417c9464d2c19cb67dadb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
OSV
OSV
added 2024/04/22 6:18 a.m.11 views

MAL-2024-1285 Malicious code in djs-embeds-v2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 86831222f9b0a818e862c2db4a2e7f56259e7bae31f417c9464d2c19cb67dadb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
added 2024/03/26 9:23 p.m.31 views

GHSA-5359-PVF2-PW78 TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload. Fix TinyMCE 6.8.1 introduced a new convertunsafeembeds opti...

4.3CVSS4.5AI score0.00722EPSS
Exploits0References6
Snyk
Snyk
added 2024/03/26 1:42 p.m.4 views

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS when loading SVG files via object or embed elements. Workaround This vulnerability can be avoided by simulating the functionality of the...

6.1CVSS4.7AI score0.00722EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/03/26 12:0 a.m.6 views

PT-2024-23105

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 6.8.1 TinyMCE versions prior to 7.0.0 Description A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed...

6.1CVSS6.2AI score0.00722EPSS
Exploits0References18
OSV
OSV
added 2024/03/06 11:11 a.m.23 views

BIT-WORDPRESS-2020-28033

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed...

7.5CVSS8.4AI score0.02622EPSS
Exploits0References7
OSV
OSV
added 2024/03/06 11:11 a.m.22 views

BIT-WORDPRESS-MULTISITE-2020-28033

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed...

7.5CVSS8.4AI score0.02622EPSS
Exploits0References7
OSV
OSV
added 2023/11/20 7:15 p.m.2 views

CVE-2023-4799

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS7.3AI score
Exploits0References1
Prion
Prion
added 2023/11/20 7:15 p.m.25 views

Cross site scripting

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

4.9CVSS6.1AI score0.00426EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2023/11/20 6:55 p.m.54 views

CVE-2023-4799

CVE-2023-4799 – Magic Embeds WordPress plugin : The vulnerability affects versions before 3.1.2 (plugin prior to 3.1.2) where shortcode attributes are not properly validated/escaped before output in pages/posts. This can enable a contributor+ user to perform Stored Cross-Site Scripting via the pl...

5.4CVSS5.5AI score0.00426EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2023/11/20 6:55 p.m.28 views

CVE-2023-4799 Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

5.5AI score0.00426EPSS
Exploits2References1
CNNVD
CNNVD
added 2023/11/20 12:0 a.m.3 views

WordPress Plugin Magic Embeds Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on PHP and MySQL servers.WordPress plugin is an...

5.4CVSS8.6AI score0.00426EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added 2023/11/20 12:0 a.m.7 views

PT-2023-30662 · WordPress · Magic Embeds

Name of the Vulnerable Software and Affected Versions: The Magic Embeds WordPress plugin versions prior to 3.1.2 Description: The issue concerns a lack of validation and escaping of certain shortcode attributes in the plugin, which could allow users with the contributor role and above to perform...

5.4CVSS5.8AI score0.00426EPSS
Exploits2References4
Patchstack
Patchstack
added 2023/10/27 12:0 a.m.12 views

WordPress Magic Embeds Plugin <= 3.1.1 is vulnerable to Cross Site Scripting (XSS)

Software Magic Embeds Type Plugin Vulnerable versions = 3.1.1 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-4799 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 630b7a6e83b9 Credits Dmitrii Ignatyev Required...

5.4CVSS5.7AI score0.00426EPSS
Exploits2References3Affected Software1
wpexploit
wpexploit
added 2023/10/27 12:0 a.m.156 views

Magic Embeds < 3.1.2 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks v 3.1.1 - fbplugin video...

5.4CVSS5.6AI score0.00426EPSS
Exploits2
Patchstack
Patchstack
added 2023/07/19 12:0 a.m.8 views

WordPress Disable Emojis & Disable Embeds for WordPress Performance & SpeedUp Plugin <= 1.4.5 is vulnerable to Cross Site Scripting (XSS)

Software Disable Emojis & Disable Embeds for WordPress Performance & SpeedUp Type Plugin Vulnerable versions = 1.4.5 Fixed in 1.5.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID...

6.3AI score0.00284EPSS
Exploits0References3Affected Software1
Huntr
Huntr
added 2023/07/05 12:33 p.m.28 views

XSS vulnerabilities via various embeds

Description JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document. Proof of Concept PoC file is different for each vulnerable embed. See...

4.9CVSS6.3AI score0.00495EPSS
Exploits1
NVD
NVD
added 2023/04/26 3:15 p.m.13 views

CVE-2022-25276

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities...

6.1CVSS6.3AI score0.00526EPSS
Exploits0References1
NVD
NVD
added 2023/04/18 10:15 p.m.16 views

CVE-2023-29196

Discourse is an open source platform for community discussion. This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker succeeds in...

6.1CVSS4.8AI score0.00313EPSS
Exploits0References1
Rows per page
Query Builder