8222 matches found
Easy Form Builder <= 1.0 - Unauthorised AJAX calls
While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...
HackerOne: Temporary banned user (from platform) is able to make submissions via embedded submission forms
Summary: Hello team! We have discovered issue which allows temporary banned user to submit new reports using embedded submission forms. The hacker can submit submissions via embedded forms using his/her email address. Once the ban is over the hacker can claim his/her report via invitation link...
Wordpress Constant Contact Forms Cross-Site Scripting Vulnerability
Wordpress Constant Contact Forms is Wordpress open source an application plugin. It allows websites to capture visitor information directly and easily. A cross-site scripting vulnerability exists in versions of the Constant Contact Forms WordPress plugin prior to 1.8.8. The vulnerability stems fr...
ALPINE-CVE-2021-28957
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...
PYSEC-2021-19
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...
UBUNTU-CVE-2021-28957
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...
CVE-2021-28957
An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...
CVE-2021-24134
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...
CVE-2021-24134
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...
Cross site scripting
Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...
CVE-2021-24134
The CVE affects the WordPress plugin Constant Contact Forms
Wordpress Constant Contact Forms 跨站脚本漏洞
Wordpress Constant Contact Forms is Wordpress open source an application plugin. It allows websites to capture visitor information directly and easily. A cross-site scripting vulnerability exists in versions of the Constant Contact Forms WordPress plugin prior to 1.8.8. The vulnerability stems fr...
VulnCheck KEV: CVE-2021-4367
The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the floimportformsoptions AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with...
Flo Forms < 1.0.36 - Authenticated Options Change to Stored XSS
The plugin was being actively exploited, allowing low privilege users to use the floimportformsoptions AJAX action to import new options and inject malicious JavaScript code in the backend...
WordPress Flo Forms plugin <= 1.0.35 - Authenticated Options Change & Stored Cross-Site Scripting (XSS) vulnerability
Authenticated Options Change & Stored Cross-Site Scripting XSS vulnerability discovered by NinTechNet in WordPress Flo Forms plugin versions = 1.0.35. Solution Update the WordPress Flo Forms plugin to the latest available version at least 1.0.36...
Malicious Package
Overview paychex-framework-forms is a malicious package. It uses a preinstall script to steal environment variables. Remediation Avoid using all malicious instances of the paychex-framework-forms package. Credit: Snyk Research...
DEBIAN-CVE-2021-20225
A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and...
Ninja Forms Plugin for WordPress < 3.4.34 Multiple Vulnerabilities
The WordPress Ninja Forms Plugin installed on the remote host is affected by multiple vulnerabilities : - An authenticated SendWP plugin installation and client secret key disclosure - An authenticated OAuth connection key disclosure - An open redirect - A Cross-Site Request Forgery CSRF to OAuth...
grub2: Heap out-of-bounds write in short form option parser
A flaw was found in grub2. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as syste...
Payroll/HR Giant PrismHR Hit by Ransomware?
PrismHR, a company that sells technology used by other firms to help more than 80,000 small businesses manage payroll, benefits, and human resources, has suffered what appears to be an ongoing ransomware attack that is disrupting many of its services. Hopkinton, Mass.-based PrismHR handles...