Lucene search
K

8222 matches found

WPVulnDB
WPVulnDB
added 2021/03/27 12:0 a.m.11 views

Easy Form Builder <= 1.0 - Unauthorised AJAX calls

While confirming https://wpscan.com/vulnerability/ed0c054b-54bf-4df8-9015-c76704c93484, we noticed that all AJAX actions of the plugin, available to authenticated users, do not have any CSRF and authorisation checks in place, allowing low privilege users to call them and delete/edit arbitrary for...

4.4AI score
Exploits0Affected Software1
Hacker One
Hacker One
added 2021/03/23 7:43 p.m.15 views

HackerOne: Temporary banned user (from platform) is able to make submissions via embedded submission forms

Summary: Hello team! We have discovered issue which allows temporary banned user to submit new reports using embedded submission forms. The hacker can submit submissions via embedded forms using his/her email address. Once the ban is over the hacker can claim his/her report via invitation link...

0.4AI score
Exploits0
CNVD
CNVD
added 2021/03/22 12:0 a.m.8 views

Wordpress Constant Contact Forms Cross-Site Scripting Vulnerability

Wordpress Constant Contact Forms is Wordpress open source an application plugin. It allows websites to capture visitor information directly and easily. A cross-site scripting vulnerability exists in versions of the Constant Contact Forms WordPress plugin prior to 1.8.8. The vulnerability stems fr...

4.8CVSS5.8AI score0.00654EPSS
Exploits2References1
OSV
OSV
added 2021/03/21 5:15 a.m.2 views

ALPINE-CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS6.8AI score0.04002EPSS
Exploits1References1
OSV
OSV
added 2021/03/21 5:15 a.m.4 views

PYSEC-2021-19

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS6.9AI score0.04002EPSS
Exploits1References6
OSV
OSV
added 2021/03/21 5:15 a.m.4 views

UBUNTU-CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS6.8AI score0.04002EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2021/03/21 4:39 a.m.1 views

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.4AI score0.04002EPSS
Exploits1References10
NVD
NVD
added 2021/03/18 3:15 p.m.13 views

CVE-2021-24134

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...

4.8CVSS0.00654EPSS
Exploits2References1
OSV
OSV
added 2021/03/18 3:15 p.m.5 views

CVE-2021-24134

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...

4.8CVSS6AI score0.00654EPSS
Exploits2References1
Prion
Prion
added 2021/03/18 3:15 p.m.15 views

Cross site scripting

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user Editor+ to inject arbitrary JavaScript code or HTML in posts where the malicious fo...

3.5CVSS4.9AI score0.00654EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2021/03/18 2:57 p.m.56 views

CVE-2021-24134

The CVE affects the WordPress plugin Constant Contact Forms

4.8CVSS4.9AI score0.00654EPSS
Exploits2References1Affected Software1
CNNVD
CNNVD
added 2021/03/18 12:0 a.m.9 views

Wordpress Constant Contact Forms 跨站脚本漏洞

Wordpress Constant Contact Forms is Wordpress open source an application plugin. It allows websites to capture visitor information directly and easily. A cross-site scripting vulnerability exists in versions of the Constant Contact Forms WordPress plugin prior to 1.8.8. The vulnerability stems fr...

4.8CVSS5.6AI score0.00654EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2021/03/16 12:0 a.m.5 views

VulnCheck KEV: CVE-2021-4367

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the floimportformsoptions AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with...

6.4CVSS6AI score0.0067EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2021/03/16 12:0 a.m.6 views

Flo Forms < 1.0.36 - Authenticated Options Change to Stored XSS

The plugin was being actively exploited, allowing low privilege users to use the floimportformsoptions AJAX action to import new options and inject malicious JavaScript code in the backend...

3.9AI score
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2021/03/16 12:0 a.m.10 views

WordPress Flo Forms plugin <= 1.0.35 - Authenticated Options Change & Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Options Change & Stored Cross-Site Scripting XSS vulnerability discovered by NinTechNet in WordPress Flo Forms plugin versions = 1.0.35. Solution Update the WordPress Flo Forms plugin to the latest available version at least 1.0.36...

1.8AI score
Exploits0References2Affected Software1
Snyk
Snyk
added 2021/03/07 11:14 a.m.3 views

Malicious Package

Overview paychex-framework-forms is a malicious package. It uses a preinstall script to steal environment variables. Remediation Avoid using all malicious instances of the paychex-framework-forms package. Credit: Snyk Research...

10CVSS6.8AI score
Exploits0References2
OSV
OSV
added 2021/03/03 5:15 p.m.3 views

DEBIAN-CVE-2021-20225

A flaw was found in grub2 in versions prior to 2.06. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and...

6.7CVSS6.9AI score0.01017EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2021/03/03 12:0 a.m.21 views

Ninja Forms Plugin for WordPress < 3.4.34 Multiple Vulnerabilities

The WordPress Ninja Forms Plugin installed on the remote host is affected by multiple vulnerabilities : - An authenticated SendWP plugin installation and client secret key disclosure - An authenticated OAuth connection key disclosure - An open redirect - A Cross-Site Request Forgery CSRF to OAuth...

8.8CVSS7.6AI score0.01643EPSS
Exploits8References6
RedHat Linux
RedHat Linux
added 2021/03/02 7:39 p.m.4 views

grub2: Heap out-of-bounds write in short form option parser

A flaw was found in grub2. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as syste...

7.2CVSS5.9AI score0.01017EPSS
Exploits0References4
Krebs on Security
Krebs on Security
added 2021/03/02 7:36 p.m.44 views

Payroll/HR Giant PrismHR Hit by Ransomware?

PrismHR, a company that sells technology used by other firms to help more than 80,000 small businesses manage payroll, benefits, and human resources, has suffered what appears to be an ongoing ransomware attack that is disrupting many of its services. Hopkinton, Mass.-based PrismHR handles...

6.9AI score
Exploits0
Rows per page
Query Builder