CVE-2020-36839 WP Lead Plus X <= 0.99 - Cross-Site Request Forgery

The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.99. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform administrative actions, such as...

CVE-2020-36839

The CVE covers the WordPress plugin WP Lead Plus X, affected through version 0.99. The vulnerability is a Cross-Site Request Forgery due to missing or incorrect nonce validation on several functions, enabling unauthenticated attackers to trigger administrative actions such as adding pages or inje...

CVE-2021-4444 Product Filter by WooBeWoo <= 1.4.9 - Missing Authorization

The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new...

PT-2024-10849 · WordPress · Wp Lead Plus X

Name of the Vulnerable Software and Affected Versions: WP Lead Plus X plugin for WordPress versions up to, and including, 0.99 Description: The WP Lead Plus X plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on several functions. This...

PT-2024-11040 · Woobewoo · Woobewoo Product Filter

Name of the Vulnerable Software and Affected Versions: Product Filter by WooBeWoo plugin for WordPress versions up to, and including 1.4.9 Description: The issue is related to authorization bypass due to missing authorization checks on various functions, allowing unauthenticated attackers to...

CVE-2024-48120

X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting XSS in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list...

CVE-2024-48120

X2CRM v8.5 is affected by a stored XSS in the Opportunities module. The vulnerability allows an authenticated attacker to inject JavaScript via the Name field when creating a list, with the payload stored and later triggered. Evidence consistently references a stored XSS path in the Opportunities...

Adobe Commerce Cross-Site Scripting Vulnerability (CNVD-2024-41463)

Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. Adobe Commerce suffers from a cross-site scripting vulnerability that can be exploited by an attacker to say that accessing a URL that references a...

CVE-2024-9592

The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgcpluginoptions' function. This makes it possible for unauthenticated attackers to update the...

CVE-2024-9592

CVE-2024-9592 concerns the WordPress plugin Easy PayPal Gift Certificate (versions ≤ 1.2.3). The vulnerability is a Cross-Site Request Forgery that, due to missing/incorrect nonce validation in the wpppgc_plugin_options function, can allow an unauthenticated attacker to update plugin settings and...

CVE-2024-9592 Easy PayPal Gift Certificate <= 1.2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wpppgc_plugin_options

The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgcpluginoptions' function. This makes it possible for unauthenticated attackers to update the...

CVE-2024-45123

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context...

Adobe Commerce 跨站脚本漏洞

Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. Adobe Commerce suffers from a cross-site scripting vulnerability that can be exploited by an attacker to say that accessing a URL that references a...

VulnCheck KEV: CVE-2024-37383

RoundCube Webmail contains a cross-site scripting XSS vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code...

Palo Alto Networks Expedition 安全漏洞

Palo Alto Networks Expedition is a tool from Palo Alto Networks, Inc. that helps with configuration migration, tuning, and enrichment. A security vulnerability exists in Palo Alto Networks Expedition. An attacker exploiting this vulnerability could execute malicious JavaScript in a user's browser...

Adobe Experience Manager 跨站脚本漏洞

Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Audobee Adobe. The solution supports mobile content management, marketing and sales campaign management, and multi-site management. A...

Cross-site Scripting (XSS)

Contao is vulnerable to stored Cross-site Scripting XSS. The vulnerability is due to improper validation of SVG file uploads, allowing an authenticated admin to upload a file containing malicious JavaScript that can be executed when accessed through the website...

Duplicate Advisory: Contao allows admin an account to upload SVG file containing malicious JavaScript

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqqr-fgmh-f626. This link is maintained to preserve external references. Original Description Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the...

GHSA-HXPP-G76M-QHVG October allows an admin account to upload PDF containing malicious JavaScript

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...

October allows an admin account to upload PDF containing malicious JavaScript

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...