Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`

Impact The Tauri shell plugin exposes functionality to execute code and open programs on the system. The open endpoint of this plugin is designed to allow open functionality with the system opener e.g. xdg-open on Linux. This was meant to be restricted to a reasonable number of protocols like htt...

Backup of Powered-Off VM in Proxmox Fails When HA Status is Stopped

Challenge The backup of a powered-off VM within a Proxmox environment where High Availability HA is enabled but the HA status is Stopped , fails with the error: Failed to perform backup: Failed to connect the NBD server to the hypervisor host. Cause The job fails because the High Availability HA...

Pray For Me <= 1.0.4 - Unauthenticated Stored XSS

Description The plugin does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin 1. Configure the plugin to add the first name and last name fields to the form:...

Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing < 3.6.4 - Plugin Settings Update via CSRF

Description The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin is vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin'...

Slider Revolution < 6.6.19 - Author+ Insecure Deserialization leading to RCE

Description The plugin does not prevent users with at least the Author role from unserializing arbitrary content when importing sliders, potentially leading to Remote Code Execution. 1. Make sure to configure the plugin so Authors can access its settings 2. Create a new slider. 3. Save and export...

Code injection

A potential vulnerability has been identified in the Micro Focus Dimensions CM Plugin for Jenkins. The vulnerability could be exploited to retrieve a login certificate if an authenticated user is duped into using an attacker-controlled Dimensions CM server. This vulnerability only applies when th...

CVE-2020-36716

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setuppage function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard if it has not been run previously and...

WordPress Plugin Wordapp 数据伪造问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

SUSE CVE-2010-4541

Stack-based buffer overflow in the loadit function in plug-ins/common/sphere-designer.c in the SPHERE DESIGNER plugin in GIMP 2.6.11 allows user-assisted remote attackers to cause a denial of service application crash or possibly execute arbitrary code via a long "Number of lights" field in a...

SUSE CVE-2010-4542

Stack-based buffer overflow in the gfigreadparametergimprgb function in plug-ins/gfig/gfig-style.c in the GFIG plugin in GIMP 2.6.11 allows user-assisted remote attackers to cause a denial of service application crash or possibly execute arbitrary code via a long Foreground field in a plugin...

SUSE CVE-2019-16547

Missing permission checks in various API endpoints in Jenkins Google Compute Engine Plugin 4.1.1 and earlier allow attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment...

PT-2023-13552 · Unknown · Wecube Platform

Name of the Vulnerable Software and Affected Versions: WeCube Platform version 3.2.2 Description: An issue was discovered where cleartext passwords are displayed in the configuration for terminal plugins. Recommendations: For WeCube Platform version 3.2.2, consider restricting access to the...

Web Invoice <= 2.1.3 - Authenticated SQLi

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well PoC...

Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM. Content VULNERABILITY DETAILS...

Desktop APP XSS to RCE

📝 Description Bypass disabled plugins configuration According to its default configuration, drawio desktop disables the use of custom plugin and must be using --enable-plugins to enable it. In addition, draw.io allows you to configure the application mainly the interface using a json file...

Apache Apisix 安全漏洞

Apache Apisix is a cloud-native microservices API gateway service from the Apache Foundation. The software is based on OpenResty and etcd and features dynamic routing and plugin hot-loading for API management in microservices systems. versions prior to Apache Apisix 2.13.1 contain an information...

CVE-2022-24677

Admin.php in HYBBS2 through 2.3.2 allows remote code execution because it writes plugin-related configuration information to conf.php...

CVE-2022-24677

Admin.php in HYBBS2 through 2.3.2 allows remote code execution because it writes plugin-related configuration information to conf.php...

All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

The plugin enables authenticated users with "aioseotoolssettings" privilege most of the time admin to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool Import/Export". However, the plugin attempts to...

[SECURITY] Fedora 33 Update: containernetworking-plugins-0.9.1-2.fc33

The CNI Container Network Interface project consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. CNI concerns itself only with network connectivity of containers and removing allocated resourc ...