CVE-2020-13806

An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It has a use-after-free because of JavaScript execution after a deletion or close operation...

Design/Logic Flaw

An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It has a use-after-free because of JavaScript execution after a deletion or close operation...

CVE-2020-13643

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The liveeditorpanelsdata $POST variable allows for malicious JavaScript to be...

CVE-2020-13641

An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The faroptionspage function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript,...

CVE-2020-13642

The CVE concerns the WordPress Plugin “Page Builder by SiteOrigin” (SiteOrigin Page Builder) prior to version 2.10.16. The root cause is missing nonce verification in action_builder_content, which enables forged admin-origin requests. The related panels_data ($_POST) handling can allow malicious ...

CVE-2020-13641

CVE-2020-13641 affects WordPress Real-Time Find and Replace plugin prior to 4.0.2. The root cause is missing nonce verification in far_options_page, enabling forged administrator requests. This CSRF can update find/replace rules to inject malicious JavaScript, which could be executed later in vic...

Apple macOS Catalina Security Component Input Validation Error Vulnerability

Apple macOS Catalina is a proprietary operating system developed by Apple Inc. for Mac computers.Security is one of the security components of the system. A security vulnerability exists in the Security component of Apple macOS Catalina versions prior to 10.15.5. An attacker can exploit the...

CVE-2020-13487

The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?posttype=forum aka the Forum listing page for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI...

Design/Logic Flaw

The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?posttype=forum aka the Forum listing page for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI...

CVE-2020-13487

The vulnerability is in the bbPress WordPress plugin up to version 2.6.4, where stored XSS exists in the Forum creation section. The issue allows JavaScript execution in the admin interface (wp-admin/edit.php?post_type=forum) and is exploitable by an administrator via the wp-admin/post.php?action...

CVE-2020-13487

The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?posttype=forum aka the Forum listing page for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI...

Nitro Pro PDF Javascript XML error handling Information Disclosure Vulnerability

Summary An exploitable information disclosure vulnerability exists in the way Nitro Pro 13.9.1.155 does XML error handling. A specially crafted PDF document can cause uninitialized memory access resulting in information disclosure. In order to trigger this vulnerability, victim must open a...

Cross site scripting

In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the...

DRUPAL-CONTRIB-2020-015

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label w...

Dell EMC RSA Archer Injection Vulnerability

Dell EMC RSA Archer is an enterprise IT governance and compliance governance product from Dell USA. The product enables the development of eGRC programs for managing enterprise risk, automating business processes, and more. An injection vulnerability exists in versions prior to Dell EMC RSA Arche...

Elastic: Stored XSS in TSVB Visualizations Markdown Panel

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: An authenticated user can save...

CVE-2020-7642

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...

CVE-2020-7642

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...

Phishing Attacks

firefox is vulnerable to phishing attacks. The vulnerability exists as a web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials...

CVE-2019-19089

For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text...