CVE-2023-6046

The CVE-2023-6046 entry describes a vulnerability in the EventON WordPress plugin prior to version 2.2. The issue is caused by insufficient sanitization and escaping of certain settings, enabling stored HTML injection by high-privilege users (e.g., admins) even when unfiltered_html is disallowed....

CVE-2023-6046 EventON < 2.2 - Admin+ Stored HTML Injection

The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfilteredhtml capability is disallowed...

CVE-2023-6046 EventON < 2.2 - Admin+ Stored HTML Injection

The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfilteredhtml capability is disallowed...

PT-2024-14861 · WordPress · Eventon

Name of the Vulnerable Software and Affected Versions: EventON WordPress plugin versions prior to 2.2 Description: The issue allows high privilege users, such as admin, to perform Stored HTML Injection attacks even when the unfiltered html capability is disallowed, due to the plugin not sanitizin...

WordPress plugin EventON security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

EventON < 2.2 - Admin + Stored HTML Injection

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfilteredhtml capability is disallowed. PoC 1. Go to the Virtual Event - This is a virtual online event. 2...

EventON < 2.2 - Admin + Stored HTML Injection

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfilteredhtml capability is disallowed. 1. Go to the Virtual Event - This is a virtual online event. 2. Configure...

CVE-2023-2325

Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document...

M-Files Cross-Site Scripting Vulnerability

M-Files is an innovative metadata-driven document management platform from M-Files, Inc. A cross-site scripting vulnerability exists in M-Files Classic Web prior to 23.10, M-Files LTS Service Release prior to 23.2 LTS SR4, and 23.8 LTS SR1, which originates from a vulnerability that could allow a...

PT-2023-18881 · M Files · M-Files Classic Web

Name of the Vulnerable Software and Affected Versions: M-Files Classic Web versions before 23.10 M-Files Classic Web LTS Service Release Versions before 23.2 LTS SR4 M-Files Classic Web LTS Service Release Versions before 23.8 LTS SR1 Description: The issue allows an attacker to execute a script ...

WordPress Ninja Forms Contact Form Plugin < 3.6.26 Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:ninjaforms:contactform"; ifdescription...

Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection

Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored HTML injection. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however t...

Ninja Forms < 3.6.26 - Admin+ Stored HTML Injection

Description The plugin does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored HTML injection. Only users with the unfilteredhtml capability can perform this, and such users are already allowed to use JS in posts/comments etc however t...

Stored HTML injection

Description Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability. Step to reproduce 1...

Exploit for Cross-site Scripting in Teampass

CVE-2023-2591: Stored HTML Injection in Item Label in Teampass...

OpenEMR < 7.0.1 Multiple Vulnerabilities

OpenEMR is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:open-emr:openemr"; ifdescription...

CVE-2023-27775

CVE-2023-27775 is a stored HTML injection vulnerability in LiveAction LiveSP v21.1.2 that allows an attacker to execute arbitrary code via a crafted payload. The available documents indicate the issue is exploitable with network access and requires user interaction, with a CVSS v3.1 base score of...

Stored HTML Injection

phpmyfaq is vulnerable to Stored HTML Injection. The vulnerability exists due to improper handling of inputs through the FAQ-Proposal Form, which allows an attacker to inject and execute malicious HTML content in the web page when an admin views the proposal, possibly leading to code execution...

Stored HTML Injection

phpmyfaq is vulnerable to Stored HTML Injection. The vulnerability exists due to improper handling of inputs through the Question Form, which allows an attacker to inject and execute malicious HTML content in the web page when an admin approves the question, possibly leading to code execution...

stored HTML-Injection in the FAQ-Proposal

Dear Ladies and Gentlemen, First of all, thank you for your time and effort in reading my Report. While doing the Penetration Test my Brother Josef Hassan [email protected] and I were able to identify another stored HTML-Injection Vulnerability in the FAQ-Proposal Form. The Process of the...