Lucene search
K

31 matches found

NVD
NVD
added 2021/09/10 2:15 p.m.9 views

CVE-2021-38349

The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...

6.1CVSS0.0021EPSS
Exploits1References2
Prion
Prion
added 2021/09/10 2:15 p.m.14 views

Cross site scripting

The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...

4.3CVSS6.1AI score0.0021EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2021/09/10 1:32 p.m.16 views

CVE-2021-38349 Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting

The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...

6.1CVSS6.2AI score0.0021EPSS
Exploits1References2
CVE
CVE
added 2021/09/10 1:32 p.m.34 views

CVE-2021-38349

The CVE-2021-38349 entry documents a Reflected Cross-Site Scripting vulnerability in the WordPress plugin “Integration of Moneybird for WooCommerce” prior to or including version 2.1.1. The issue stems from the error_description parameter in the file templates/wcmb-admin.php, enabling injection o...

6.1CVSS6.1AI score0.0021EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2021/09/10 1:32 p.m.5 views

CVE-2021-38349 Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting

The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1...

6.1CVSS6.1AI score0.0021EPSS
Exploits1References2
WPVulnDB
WPVulnDB
added 2021/09/09 12:0 a.m.15 views

Integration of Moneybird for WooCommerce <= 2.1.1 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting via the errordescription parameter found in the /templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts...

6.1CVSS5.2AI score0.0021EPSS
Exploits1References1Affected Software1
Patchstack
Patchstack
added 2021/09/09 12:0 a.m.13 views

WordPress Integration of Moneybird for WooCommerce plugin <= 2.1.1 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting XSS vulnerability discovered by p7e4 in WordPress Integration of Moneybird for WooCommerce plugin versions = 2.1.1. Solution This plugin has been closed as of September 7, 2021 and is not available for download. This closure is temporary, pending a full review...

6.1CVSS2.3AI score0.0021EPSS
Exploits1References3Affected Software1
Hacker One
Hacker One
added 2021/03/26 1:17 p.m.73 views

Moneybird: Access control issue on invoice documents downloading feature.

Reporter has found a way to download exports as an unauthorized user. This was only possible after changing the permissions for the user and having a certain page open during this change. The issue has been resolved by adding extra permission checks during the download action...

2.2AI score
Exploits0
Hacker One
Hacker One
added 2021/03/18 3:11 a.m.16 views

Moneybird: Open Redirect through POST Request in OAuth

Reporter found an open redirect issue in the OAuth flow. We added extra checks for all redirects in the OAuth flows to mitigate this issue...

2.7AI score
Exploits0
Hacker One
Hacker One
added 2020/10/02 2:26 a.m.55 views

Moneybird: Stored XSS on add project

The researcher found a way to store a snippet that was served to him and or other users of his administration. Subsequently the snippet was executed by his browser, making it a viable XSS vulnerability...

4.2AI score
Exploits0
Hacker One
Hacker One
added 2019/11/21 4:58 p.m.10 views

Moneybird: Pending MFA logins aren't immediatly expired after a password change

Researcher found an issue with sessions not all being terminated when password is changed. The 2FA implementation was at fault in this scenario as the session was found to be active even after the password was changed and two-step verification was turned off...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2019/10/31 8:26 a.m.10 views

Moneybird: IDOR in https://moneybird.com/user/accountant_company/edit(change company name)

Reporter found a way to change the name of an accountant company for which he didn't have permissions. We added extra checks to prevent these kind of Insecure Direct Object Reference bugs...

7AI score
Exploits0
Hacker One
Hacker One
added 2019/10/28 1:0 p.m.186 views

Moneybird: Bypass password reset rate limit protection at moneybird.com/passwords

Attacker found a way to completely bypass our rate limit protection, allowing for other types of attacks. This involved changing the value of the X-Forwarded-For header. Attacker never got a 429 response from our servers when the value for each request is different. Injecting X-Forwarded-For :...

1.7AI score
Exploits0
Hacker One
Hacker One
added 2019/07/18 4:21 p.m.125 views

Moneybird: Enable 2FA without verifying the email

Description : I able to add 2FA to my account without verifying my email Attack scenario : 1. Attacker sign up with victim email Email verification will be sent to victim email. 2. Attacker able to login without verifying email. 3. Attacker add 2FA. Impact the victim can't register an account wit...

2.4AI score
Exploits0
Hacker One
Hacker One
added 2017/11/07 6:15 p.m.17 views

Moneybird: Open Redirection while saving User account Settings

Hi team , I got a Open redirection while saving account setting . This could lead to serious issues . Endpoint :- https://moneybird.com/user/edit?returnto=//evil.com Reproduce :- Visit https://moneybird.com/user/edit?returnto=//evil.com and click on Save . You will be take to evil.com . Impact :-...

6.7AI score
Exploits0
Hacker One
Hacker One
added 2017/09/18 7:37 p.m.21 views

Moneybird: Bypass of Rate limiting in secure_session endpoint's password input will lead to user password disclosure

The rate limit for entering a password to start a secure session was too low. This allowed for brute force password guessing when an attacker would gain access to an existing session of a user. We have solved the issue by making the password rate limit the same as the regular login procedure...

1.5AI score
Exploits0
Hacker One
Hacker One
added 2017/07/18 10:1 p.m.19 views

Moneybird: Stored XSS at Moneybird

Reporter found a stored XSS vulnerability in a search field. We have deployed countermeasures to prevent this vulnerability...

1AI score
Exploits0
Hacker One
Hacker One
added 2017/07/08 12:3 a.m.20 views

Moneybird: Moneybird customers invoices leak in cacheable urls

Reporter found a few public links with information that is published by our clients. Although our clients choose to make this information public themselves, we have made some small improvements to protect the information better from indexing by search engines...

2.6AI score
Exploits0
Hacker One
Hacker One
added 2017/03/08 1:19 p.m.21 views

Moneybird: Stored Cross Site Scripting in Customer Name

Researcher found a vulnerability in our contact selector, in which a contact name with HTML would trigger this HTML to be executed. We have improved our contact selector to handle customer names as text instead of HTML...

0.4AI score
Exploits0
Hacker One
Hacker One
added 2016/07/27 5:3 p.m.24 views

Moneybird: [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )

Reporter found a XSS vulnerability in a JavaScript module in our application. We have implemented counter measures to prevent such vulnerabilities in the future...

1.1AI score
Exploits0
Rows per page
Query Builder