CVE-2024-3246

The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...

CVE-2024-3246 LiteSpeed Cache <= 6.2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...

CVE-2024-3246 LiteSpeed Cache <= 6.2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...

CVE-2024-40626

Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting XSS vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other...

CVE-2024-1937

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...

CVE-2024-1937

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...

CVE-2024-1937

CVE-2024-1937 (Brizy – Page Builder for WordPress) affects Brizy up to version 2.4.44. The vulnerability is caused by a missing capability check in the update_item function, allowing authenticated attackers with contributor access and above to modify content of arbitrary published posts, includin...

PT-2024-24310 · Stormshield · Stormshield Network Security

Name of the Vulnerable Software and Affected Versions: Stormshield Network Security SNS versions 3.7.0 through 3.7.41 Stormshield Network Security SNS versions 3.10.0 through 3.11.29 Stormshield Network Security SNS versions 4.0 through 4.3.24 Stormshield Network Security SNS versions 4.4.0 throu...

Naver Whale Browser Security Vulnerability

Naver Whale Browser is a web browser from Naver, a South Korean company that supports user-defined interfaces. A security vulnerability exists in Naver Whale Browser versions prior to 3.26.244.21, which stems from improper cleanup when dealing with built-in extensions, allowing an attacker to...

PT-2024-28945 · Unknown · Whale Browser

Name of the Vulnerable Software and Affected Versions: Whale browser versions prior to 3.26.244.21 Description: The issue allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension. Recommendations: For versions prior to 3.26.244.21, updat...

Polyfill.io Supply Chain Attack: Malicious JavaScript Injection Puts Over 100k Websites At Risk

Polyfill.io helps web developers achieve cross-browser compatibility by automatically managing necessary polyfills. By adding a script tag to their HTML, developers can ensure that features like JavaScript functions, HTML5 elements, and various APIs work across different browsers. Originally...

GHSA-3V33-3WMW-3785 yt-dlp has dependency on potentially malicious third-party code in Douyu extractors

Impact yt-dlp's DouyuTV and DouyuShow extractors used a cdn.bootcdn.net URL as a fallback for fetching a component of the crypto-js JavaScript library. When the Douyu extractor is used, yt-dlp extracts this JavaScript code and attempts to execute it externally using PhantomJS. bootcdn.net is owne...

CVE-2024-6229

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

CVE-2024-6229 Stored XSS in stangirard/quivr

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

CVE-2024-6229

CVE-2024-6229 is a stored XSS vulnerability in stangirard/quivr’s Upload Knowledge feature. An attacker can upload a URL-based file containing malicious JavaScript, which is stored on the server and executed when users click the payload-containing link, potentially enabling data theft and session...

Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)

Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting XSS Date: 20-06-2024 Exploit Author: Jerry Thomas w3bn00b3r Vendor Homepage: https://automad.org Software Link: https://github.com/marcantondahmen/automad Category: Web Application Flat File CMS Version: 2.0.0-alpha.4 Tested on:...

New Cyberthreat 'Boolka' Deploying BMANAGER Trojan via SQLi Attacks

A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER. "The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countrie...

CVE-2024-34142 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2024-34141 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

Cross-Site Scripting (XSS)

magento/community-edition is vulnerable to a stored Cross-site scripting XSS vulnerability. The vulnerability is due to insufficient input sanitization, allowing an authenticated user to inject malicious JavaScript into the name of the main website, which can then execute in the context of other...