Lucene search
K

175 matches found

CNNVD
CNNVD
added 2022/07/21 12:0 a.m.8 views

Drupal 跨站脚本漏洞

Drupal is an open source content management system developed in PHP by the Drupal community. A cross-site scripting vulnerability exists in Drupal versions prior to 9.3.19 and prior to 9.4.3, which stems from Media oEmbed iframe routing that does not properly validate iframe domain settings...

6.1CVSS5.9AI score0.00526EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2022/07/21 12:0 a.m.34 views

Drupal 9.4.x < 9.4.3 Multiple Vulnerabilities

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.91, 9.3.x prior to 9.3.19 or 9.4.x prior to 9.4.3. It is, therefore, affected by multiple vulnerabilities: - In some situations, the Image module does not correctly check access to...

7.5CVSS7.8AI score0.01422EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2022/07/21 12:0 a.m.34 views

Drupal 9.3.x < 9.3.19 Multiple Vulnerabilities

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.91, 9.3.x prior to 9.3.19 or 9.4.x prior to 9.4.3. It is, therefore, affected by multiple vulnerabilities: - In some situations, the Image module does not correctly check access to...

7.5CVSS7.8AI score0.01422EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2022/07/21 12:0 a.m.116 views

Drupal 7.x < 7.91 Multiple Vulnerabilities

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.91, 9.3.x prior to 9.3.19 or 9.4.x prior to 9.4.3. It is, therefore, affected by multiple vulnerabilities: - In some situations, the Image module does not correctly check access to...

7.5CVSS7.8AI score0.01422EPSS
Exploits0References6
OSV
OSV
added 2022/07/20 3:41 p.m.4 views

DRUPAL-CORE-2022-015

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...

6.1CVSS6.5AI score0.00526EPSS
Exploits0References1
Drupal
Drupal
added 2022/07/20 12:0 a.m.37 views

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...

6.1CVSS3.3AI score0.00526EPSS
Exploits0References16
Drupal
Drupal
added 2020/11/18 12:0 a.m.15 views

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012...

6.7AI score
Exploits0References7
Hacker One
Hacker One
added 2020/03/09 1:43 p.m.41 views

Node.js third-party modules: [Limited bypass of #793704] Blind SSRF in Ghost CMS

Blind SSRF vulnerability in Ghost allows for internal port scanning, or reading oembed contents from internal network...

5.5CVSS2.4AI score0.0122EPSS
Exploits1
Veracode
Veracode
added 2019/05/24 4:34 p.m.17 views

Information Disclosure

Wordpress is vulnerable to Information Disclosure. The vulnerability exists in the wpprepareattachmentforjs function in media.php where a remote attacker can modify the parameter authorname as part of a request to /wp-json/oembed/1.0/embed?url which would lead to path disclosure...

5.3CVSS5.2AI score0.03008EPSS
Exploits0References4Affected Software2
OSV
OSV
added 2019/05/22 6:29 p.m.17 views

UBUNTU-CVE-2017-6514

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information Path Disclosure via a /wp-json/oembed/1.0/embed?url= request, related to the "authorname":" substring...

5.3CVSS6.2AI score0.03008EPSS
Exploits0References4
OSV
OSV
added 2019/05/22 6:29 p.m.6 views

DEBIAN-CVE-2017-6514

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information Path Disclosure via a /wp-json/oembed/1.0/embed?url= request, related to the "authorname":" substring...

5.3CVSS6.6AI score0.03008EPSS
Exploits0References1
Cvelist
Cvelist
added 2019/05/22 5:20 p.m.21 views

CVE-2017-6514

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information Path Disclosure via a /wp-json/oembed/1.0/embed?url= request, related to the "authorname":" substring...

5.2AI score0.03008EPSS
Exploits0References3
NVD
NVD
added 2019/03/21 4:1 p.m.32 views

CVE-2019-9870

plugin.js in the w8tcha oEmbed plugin before 2019-03-14 for CKEditor mishandles SCRIPT elements...

9.8CVSS9.5AI score0.01846EPSS
Exploits0References2
OSV
OSV
added 2019/03/21 4:1 p.m.22 views

CVE-2019-9870

plugin.js in the w8tcha oEmbed plugin before 2019-03-14 for CKEditor mishandles SCRIPT elements...

9.8CVSS6.9AI score
Exploits0References2
Prion
Prion
added 2019/03/21 4:1 p.m.21 views

Code injection

plugin.js in the w8tcha oEmbed plugin before 2019-03-14 for CKEditor mishandles SCRIPT elements...

7.5CVSS9.4AI score0.01846EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2019/03/19 4:27 p.m.58 views

CVE-2019-9870

CVE-2019-9870 affects the w8tcha CKEditor oEmbed plugin prior to 2019-03-14. The vulnerability stems from how plugin.js mishandles SCRIPT elements, enabling a NETWORK-exposed issue with LOW attack complexity and no required user interaction. NVD records CVSS v3.0 base score 9.8 (CRITICAL) with HI...

9.8CVSS9.4AI score0.01846EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2019/03/19 4:27 p.m.32 views

CVE-2019-9870

plugin.js in the w8tcha oEmbed plugin before 2019-03-14 for CKEditor mishandles SCRIPT elements...

9.5AI score0.01846EPSS
Exploits0References2
Hacker One
Hacker One
added 2018/09/19 3:54 a.m.21 views

Valve: code injection, steam chat client

The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context. You can send these codep...

8.1AI score
Exploits0
Hacker One
Hacker One
added 2018/07/01 10:41 a.m.33 views

LinkedIn: Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com

This report was previously published on Medium.com/@JonathanBouman. Follow me on Twitter or Medium for new reports. F361972 Proof of concept Background In my previous report we learned more about a special type of the persistent XSS attack; the unvalidated oEmbed attack. This attack allows us to...

6.1AI score
Exploits0
Cvelist
Cvelist
added 2018/05/31 8:0 p.m.28 views

CVE-2016-10569

embedza is a module to create HTML snippets/embeds from URLs using info from oEmbed, Open Graph, meta tags. embedza versions below 1.2.4 download JavaScript resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the...

8.3AI score0.01752EPSS
Exploits0References1
Rows per page
Query Builder