EUVD-2022-1635

Malicious code in bioql PyPI...

CVE-2022-1091

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending...

CVE-2024-8378 Safe SVG < 2.2.6 - Author+ SVG Sanitisation Bypass

The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wphandleupload, but not for example for code that uses wphandlesideload which is often used to upload attachments via raw POST data...

CVE-2024-8378

CVE-2024-8378 relates to the WordPress Safe SVG plugin prior to version 2.2.6. The sanitisation logic only runs for paths that call wp_handle_upload and does not cover code using wp_handle_sideload, which is commonly used to upload attachments via raw POST data. This gap can permit bypass of sani...

[SECURITY] [DLA 3856-1] python-html-sanitizer security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3856-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb August 26, 2024 https://wiki.debian.org/LTS -...

Debian dla-3856 : python3-html-sanitizer - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-3856 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3856-1 [email protected] https://www.debian.org/lts/security/...

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the core undo and redo functionality. An attacker can exploit this vulnerability by passing a carefully-crafted HTML snippet that bypasses the...

Eventify <= 2.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. PoC 1. Go to Settings » Eventify. 2. Under...

Cross site scripting

The Advanced Comment Form WordPress plugin before 1.2.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

GHSA-5H7W-HMXC-99G5 Cross site scripting in safe-svg

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending...

CVE-2022-1091

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending...

CVE-2022-1091 Safe SVG < 1.9.10 - SVG Sanitisation Bypass

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending...

Safe SVG < 1.9.10 - SVG Sanitisation Bypass

The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending on further use of uploaded SVG...

Safe SVG < 1.9.10 - SVG Sanitisation Bypass

The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent mainly XSS, but depending on further use of uploaded SVG...

Balero CMS 0.7.2 Cross Site Scripting / SQL Injection Vulnerabilities

Balero CMS version 0.7.2 suffers from cross site scripting and SQL injection vulnerabilities. document.cookie="counter=1confirm'XSS'; path=/balerocms/"; csrf+stored xss+filter bypass+session hijack: input type="hidden" name="content" value...