CVE-2021-39341 OptinMonster <= 2.6.4 Unprotected REST-API Endpoints

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the loggedinorhasapikey function in the /OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with...

CVE-2021-39341 OptinMonster <= 2.6.4 Unprotected REST-API Endpoints

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the loggedinorhasapikey function in the /OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with...

1,000,000 Sites Affected by OptinMonster Vulnerabilities

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in...

OptinMonster < 2.6.5 - Unprotected REST-API Endpoints

OptinMonster was missing appropriate capability checks on several REST-API endpoints which made it possible for unauthenticated attackers, and in some instances authenticated with low privileges, to perform unauthorized actions, as well as access sensitive information such as the...

WordPress OptinMonster plugin <= 2.6.4 - Unprotected REST-API to Sensitive Information Disclosure and Unauthorized API access vulnerability

Unprotected REST-API to Sensitive Information Disclosure and Unauthorized API access vulnerability discovered by Chloe Chamberland WordFence in WordPress OptinMonster plugin versions = 2.6.4. Solution Update the WordPress OptinMonster plugin to the latest available version at least 2.6.5...

CVE-2021-24677

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

Design/Logic Flaw

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

CVE-2021-24677 Find My Blocks < 3.4.0 - Private Post Titles Disclosure

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles...

CVE-2021-24677

The CVE concerns the WordPress plugin Find My Blocks prior to version 3.4.0, where the REST API lacks authorization checks. This allows unauthenticated users to enumerate titles of private posts via the plugin’s REST endpoints (e.g., private post title disclosure). Impact is limited to affected s...

WordPress 访问控制错误漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An Access Control Error vulnerability exists in the Find My Blocks plugin for WordPress, versions...

Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF

The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. PoC The following HTML code can be...

Simple JWT Login < 3.2.1 - Arbitrary Settings Update to Site Takeover via CSRF

The plugin does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. The following HTML code can be used...

CVE-2021-35494

The Rest API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS...

CVE-2021-35494

The Rest API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS...

Race condition

The Rest API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS...

CVE-2021-35494 TIBCO JasperReports unauthorized access to temporary object

The Rest API component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server, TIBCO JasperReports Server - Community Edition, TIBCO JasperReports Server - Developer Edition, TIBCO JasperReports Server for AWS...

bakers-registry (>=0.1.1 <=0.1.7), django-scatter-auth (>=0.1.0 <=0.2.0) +6 more potentially affected by CVE-2020-12607 via fastecdsa (>=1.6.4 <=2.0.0)

fastecdsa PYPI version =1.6.4, =0.1.1, =0.1.0, =0.1.1, =0.1.0, =2.0.0, =0.1.0a28, =0.1.0a36 - walletlib =0.1.0 Source cves: CVE-2020-12607 Source advisory: OSV:GHSA-56WV-2WR9-3H9R...

WordPress Ninja Forms Plugin < 3.5.8 Multiple Vulnerabilities

The WordPress plugin Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it...

Azur3Alph4 - A PowerShell Module That Automates Red-Team Tasks For Ops On Objective

Azur3Alph4 is a PowerShell module that automates red-team tasks for ops on objective. This module situates in a post-breach RCE achieved position. Token extraction and many other tools will not execute successfully without starting in this position. This module should be used for further...

Zammad Information Disclosure Vulnerability (CNVD-2021-81953)

Zammad is an open source web-based help desk/customer support system. versions prior to Zammad 4.1.1 are vulnerable to information disclosure. An attacker could exploit the vulnerability to obtain sensitive information via the REST API...