434 matches found
SUSE CVE-2025-1935
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8...
CVE-2025-1939
Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox 136...
CVE-2025-1935
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8...
UBUNTU-CVE-2025-1935
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8...
CVE-2024-13684
The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the resetdbpage function. This makes it possible for unauthenticated attackers to reset several tables in the database like...
Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners
A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network CDN with an aim to steal credit card information and commit financial fraud. "The attacker targets victims searching for documents on search engines, resulting in access ...
TYPO3 安全漏洞
TYPO3 is a free and open source content management system framework CMS/CMF from the Swiss TYPO3 Association. A security vulnerability exists in TYPO3. By exploiting the vulnerability, an attacker can trick a user into interacting with a malicious URL targeting the backend...
CVE-2024-53991
Discourse is an open source platform for community discussion. This vulnerability only impacts Discourse instances configured to use FileStore::LocalStore which means uploads and backups are stored locally on disk. If an attacker knows the name of the Discourse backup file, the attacker can trick...
CVE-2024-52337 Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method
A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick t...
CVE-2024-11447
The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and including, 7.0.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
CVE-2024-10684 Kognetiks Chatbot for WordPress <= 2.1.7 - Reflected Cross-Site Scripting
The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dir' parameter in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2024-9438 SEUR Oficial <= 2.2.11 - Reflected Cross-Site Scripting
The SEUR Oficial plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'changeservice' parameter in all versions up to, and including, 2.2.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...
CVE-2024-9610 Language Switcher <= 3.7.13 - Reflected Cross-Site Scripting
The Language Switcher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 3.7.13. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...
CentOS 7 : skopeo (RHSA-2020:2681)
The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2681 advisory. - A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using...
CVE-2024-9375
The WordPress Captcha Plugin by Captcha Bank plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 4.0.36. This makes it possible for unauthenticated attackers to inject...
Malicious code in colourfulls (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 735ca3ff38b76e7b11c1f7b884880871427299042e250bb42e17dcf66b8c8e11 Once imported, the module attempts to download an executable, put into Discord directory and most probably trick discord to start it. The download link does no...
MAL-2024-12246 Malicious code in colourfulls (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 735ca3ff38b76e7b11c1f7b884880871427299042e250bb42e17dcf66b8c8e11 Once imported, the module attempts to download an executable, put into Discord directory and most probably trick discord to start it. The download link does no...
CVE-2024-3886 tagDiv Composer <= 5.0 - Reflected Cross-Site Scripting via envato_code[]
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envatocode’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the onajaxcheckenvatocode function. This makes it possible for...
CVE-2024-5024
CVE-2024-5024 concerns the MemberPress WordPress plugin. The vulnerability is a Reflected Cross-Site Scripting (XSS) flaw that can be triggered via the mepr_screenname and mepr_key parameters in pages that trigger user actions. It affects all versions up to and including 1.11.29 (per the initial ...
Kashipara Hotel Management System 安全漏洞
Kashipara Hotel Management System is a hotel management system from Kashipara. A cross-site request forgery vulnerability exists in Kashipara Hotel Management System v1.0, which can be exploited by an attacker to forge a malicious request and trick a victim into clicking on it to perform a...