CVE-2023-6985 10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Arbitrary Plugin Installation

The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the installplugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with...

CVE-2024-24838

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Five Star Plugins Five Star Restaurant Reviews allows Stored XSS.This issue affects Five Star Restaurant Reviews: from n/a through 2.3.5...

Cross site scripting

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Five Star Plugins Five Star Restaurant Reviews allows Stored XSS.This issue affects Five Star Restaurant Reviews: from n/a through 2.3.5...

CVE-2024-24838

CVE-2024-24838 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Five Star Restaurant Reviews (Five Star Plugins) affecting versions up to 2.3.5. The root cause is improper neutralization of input during web page generation, enabling an attacker with Contributor+ privil...

PT-2024-15159 · 10Web · 10Web Ai Assistant

Name of the Vulnerable Software and Affected Versions: 10Web AI Assistant versions up to, and including, 1.0.18 Description: The issue allows authenticated attackers with subscriber-level access and above to install arbitrary plugins, potentially gaining further access to a compromised site. This...

Authentication Bypass

Lobe Chat is vulnerable to Authentication Bypass. The vulnerability is caused due to missing authentication checks within route.ts when the application is password-protected deployed with the ACCESSCODE option. This allows an attacker to access plugins without proper authorization...

Discourse 信息泄露漏洞

Discourse is an open source community discussion platform. The platform includes features such as community, email and chat rooms. An information disclosure vulnerability exists in Discourse discourse-group-membership-ip-block, which originates from sending all group customization fields to the...

Cross site scripting

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in PWR Plugins Portfolio & Image Gallery for WordPress | PowerFolio allows Stored XSS.This issue affects Portfolio & Image Gallery for WordPress | PowerFolio: from n/a through 3.1...

CVE-2024-22150

CVE-2024-22150 relates to the WordPress plugin PowerFolio (Portfolio & Image Gallery). The issue is an improper neutralization of input during web page generation, yielding a Cross-Site Scripting (XSS) vulnerability. Affected software version range is PowerFolio for WordPress

GHSA-PF55-FJ96-XF37 @lobehub/chat vulnerable to unauthorized access to plugins

Description: When the application is password-protected deployed with the ACCESSCODE option, it is possible to access plugins without proper authorization without password. Proof-of-Concept: Let’s suppose that application has been deployed with following command: sudo docker run -d -p 3210:3210 -...

CVE-2024-24566 Lobe Chat unauthorized access to plugins

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected deployed with the ACCESSCODE option, it is possible to access plugins without proper authorization without password. This vulnerabili...

CVE-2024-24566

CVE-2024-24566 affects Lobe Chat: improper access control lets users access plugins without password when ACCESS_CODE is used. Documented PoC shows exploitation via /api/plugin/gateway; impact is unauthorized plugin access. The issue is patched in version 0.122.4; remediation is to upgrade to 0.1...

gradle.plugin.org.springframework.cloud:spring-cloud-contract-gradle-plugin (>=3.1.0 <=3.1.1), no.skatteetaten.aurora.gradle.plugins:aurora-gradle-plugin (>=4.4.6 <=4.5.2) +14 more potentially affected by CVE-2024-22236 via org.springframework.cloud:spring-cloud-contract-shade (>=3.1.0 <=3.1.1)

org.springframework.cloud:spring-cloud-contract-shade MAVEN version =3.1.0, =3.1.0, =4.4.6, =4.4.6, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.1 - org.springframework.cloud:spr...

CentOS 7 : gstreamer-plugins-bad-free (RHSA-2024:0279)

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:0279 advisory. - MXF demuxer use-after-free vulnerability fedora-all CVE-2023-44446 Note that Nessus has not tested for this issue but has instead relied only on the...

DSA-5608-1 gst-plugins-bad1.0 - security update

Bulletin has no description...

Debian dsa-5608 : gir1.2-gst-plugins-bad-1.0 - security update

The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5608 advisory. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5608-1...

RHEL 8 : gstreamer1-plugins-bad-free (RHSA-2023:7840)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:7840 advisory. GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a...

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 15, 2024 to January 21, 2024)

Did you know were running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 84 vulnerabilities disclosed in 67...

aendter.jenkins.plugins:filesystem-list-parameter-plugin (=0.0.6), br.com.ingenieux.jenkins.plugins:codecommit-url-helper (=0.0.1) +192 more potentially affected by CVE-2024-23900 via org.jenkins-ci.plugins:matrix-project (>=1.0 <=822.v01b_8c85d16d2)

org.jenkins-ci.plugins:matrix-project MAVEN version =1.0, =1.0.5.0, =0.2, =1.0.0, =1.9.2-beta, =0.5, =1.29, =1.14.0, =4.1.1, =1.1.1, =1.0.0, =1.0.1, =1.1.3, =1.7.2, =1.8.2 and more Source cves: CVE-2024-23900 Source advisory: OSV:GHSA-CJGM-9VC9-56MX...

RPD:bmc-rpd (=1.1), aendter.jenkins.plugins:filesystem-list-parameter-plugin (=0.0.4) +801 more potentially affected by CVE-2024-23897 via org.jenkins-ci.main:jenkins-core (>=1.606 <=2.42)

org.jenkins-ci.main:jenkins-core MAVEN version =1.606, =1.0, =0.1.0, =0.1.0, =1.0, =1.17, =1.0.5.0, =1.0.5.0, =1.0.5.0, =1.0, =1.10 and more Source cves: CVE-2024-23897 Source advisory: OSV:GHSA-6F9G-CXWR-Q5JR...