Lucene search
K

75 matches found

Cvelist
Cvelist
added 2023/09/20 12:14 p.m.25 views

CVE-2022-45448 Cross-site Scripting in M4 PDF plugin for Prestashop sites

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed...

3.5CVSS6.4AI score0.00287EPSS
Exploits0References1
CNNVD
CNNVD
added 2023/09/20 12:0 a.m.4 views

Prestashop plugin M4 PDF cross-site scripting vulnerability

PrestaShop is an open source e-commerce solution from PrestaShop, Inc. in the United States. The solution provides a variety of payment methods, short message alerts and product image scaling and other features. A security vulnerability exists in Prestashop plugin M4 PDF 3.2.3 and earlier version...

6.1CVSS6.7AI score0.00287EPSS
Exploits0References2
OSV
OSV
added 2023/07/12 4:15 a.m.5 views

CVE-2021-4416

The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on the mpdfadminsavepost function. This makes it possible for unauthenticated attackers to save post data via a forged request...

4.3CVSS5.6AI score0.00345EPSS
Exploits0References9
CVE
CVE
added 2023/07/12 3:40 a.m.43 views

CVE-2021-4416

The CVE-2021-4416 entry concerns the WordPress wp-mpdf plugin. Affected software: WordPress wp-mpdf plugin for WordPress, versions up to and including 3.5.1. Vulnerability: Cross-Site Request Forgery due to missing or incorrect nonce validation in the mpdf_admin_savepost() function. Impact: unaut...

4.3CVSS4.2AI score0.00345EPSS
Exploits0References9Affected Software1
Cvelist
Cvelist
added 2023/07/12 3:40 a.m.19 views

CVE-2021-4416 wp-mpdf <= 3.5.1 - Cross-Site Request Forgery Bypass

The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on the mpdfadminsavepost function. This makes it possible for unauthenticated attackers to save post data via a forged request...

4.3CVSS4.6AI score0.00345EPSS
Exploits0References9
CNNVD
CNNVD
added 2023/07/12 12:0 a.m.3 views

WordPress Plugin wp-mpdf 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

4.3CVSS4.8AI score0.00345EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2023/07/12 12:0 a.m.5 views

PT-2023-12528 · WordPress · Wp-Mpdf

Name of the Vulnerable Software and Affected Versions: wp-mpdf plugin for WordPress versions up to, and including, 3.5.1 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the mpdf admin savepost function. This allows unauthenticated...

4.3CVSS4.4AI score0.00345EPSS
Exploits0References11
Packet Storm
Packet Storm
added 2022/08/01 12:0 a.m.601 views

mPDF 7.0 Local File Inclusion

Exploit Title: mPDF 7.0 - Local File Inclusion Google Dork: N/A Date: 2022-07-23 Exploit Author: Musyoka Ian Vendor Homepage: https://mpdf.github.io/ Software Link: https://mpdf.github.io/ Version: CuteNews Tested on: Ubuntu 20.04, mPDF 7.0.x CVE: N/A !/usr/bin/env python3 from urllib.parse impor...

7.4AI score
Exploits0
0day.today
0day.today
added 2022/08/01 12:0 a.m.1207 views

mPDF 7.0 - Local File Inclusion Exploit

Exploit Title: mPDF 7.0 - Local File Inclusion Exploit Author: Musyoka Ian Vendor Homepage: https://mpdf.github.io/ Software Link: https://mpdf.github.io/ Version: CuteNews Tested on: Ubuntu 20.04, mPDF 7.0.x CVE: N/A !/usr/bin/env python3 from urllib.parse import quote from cmd import Cmd from...

7.4AI score
Exploits0
Exploit DB
Exploit DB
added 2022/08/01 12:0 a.m.472 views

mPDF 7.0 - Local File Inclusion

Exploit Title: mPDF 7.0 - Local File Inclusion Google Dork: N/A Date: 2022-07-23 Exploit Author: Musyoka Ian Vendor Homepage: https://mpdf.github.io/ Software Link: https://mpdf.github.io/ Version: CuteNews Tested on: Ubuntu 20.04, mPDF 7.0.x CVE: N/A !/usr/bin/env python3 from urllib.parse impor...

7.4AI score
Exploits0
OSV
OSV
added 2022/05/14 1:33 a.m.16 views

GHSA-3CWC-M7C2-QR86 mPDF Unsafe Deserialization

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim...

8.8CVSS8.7AI score0.02101EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2022/05/14 1:33 a.m.21 views

mPDF Unsafe Deserialization

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim...

8.8CVSS7AI score0.02101EPSS
Exploits1References3Affected Software1
Patchstack
Patchstack
added 2021/06/21 12:0 a.m.8 views

WordPress wp-mpdf plugin <= 3.5.1 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by Jerome Bruandet NinTechNet in WordPress wp-mpdf plugin versions = 3.5.1. Solution Update the WordPress wp-mpdf plugin to the latest available version at least 3.5.2...

3.2AI score
Exploits0References2Affected Software1
Veracode
Veracode
added 2019/02/07 2:13 a.m.19 views

Arbitrary Code Execution

mpdf/mpdf is vulnerable to arbitrary code execution. The vulnerability exists through a phar:// wrapper that leads to an insecure PHP deserialization flaw, allowing an attacker to execute arbitrary code...

8.8CVSS9.2AI score0.02101EPSS
Exploits1References3Affected Software1
Prion
Prion
added 2019/02/04 9:29 p.m.18 views

Deserialization of untrusted data

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim...

6.8CVSS8.7AI score0.02101EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2019/02/04 9:29 p.m.6 views

CVE-2019-1000005

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim...

8.8CVSS8.7AI score0.02101EPSS
Exploits1References1
OSV
OSV
added 2019/02/04 9:29 p.m.16 views

CVE-2019-1000005

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim...

8.8CVSS7AI score
Exploits0References1
Cvelist
Cvelist
added 2019/02/04 9:0 p.m.17 views

CVE-2019-1000005

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim...

8.7AI score0.02101EPSS
Exploits1References1
CVE
CVE
added 2019/02/04 9:0 p.m.64 views

CVE-2019-1000005

CVE-2019-1000005 affects mPDF up to version 7.1.7, where Image/ImageProcessor.getImage() is vulnerable to CWE-502 deserialization of untrusted data via phar:// crafted images, enabling arbitrary code execution or file write. The attack requires hosting a crafted image on the victim server and tri...

8.8CVSS8.6AI score0.02101EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2018/11/07 5:29 a.m.16 views

CVE-2018-19047

mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a 'img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HT...

10CVSS9.4AI score0.02084EPSS
Exploits1References1
Rows per page
Query Builder