1394 matches found
PT-2023-12515 · WordPress · Remove Schema Plugin
Name of the Vulnerable Software and Affected Versions: Remove Schema plugin for WordPress versions up to, and including, 1.5 Description: The issue is due to missing or incorrect nonce validation on the validate function, making it possible for unauthenticated attackers to modify the plugin's...
WordPress Plugin Event Espresso 4 Decaf 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...
CVE-2023-3427
The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'savecustomer' function. This makes it possible for unauthenticated attackers to change the admin role to...
keycloak: client access via device auth request spoof
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized acce...
keycloak: Untrusted Certificate Validation
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If...
CVE-2023-3411
The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing nonce validation on the ajaxstoresave function. This makes it possible for unauthenticated...
CVE-2023-35810
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing...
CVE-2023-35808
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input...
PT-2023-25326 · Sugarcrm · Sugarcrm Enterprise
Name of the Vulnerable Software and Affected Versions: SugarCRM Enterprise versions prior to 11.0.6 SugarCRM Enterprise versions 12.x prior to 12.0.3 Description: An issue has been identified in the REST API of SugarCRM, allowing for a Bean Manipulation vulnerability. This vulnerability can be...
CVE-2023-2893
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the processdeactivateproduct function. This makes it possible for unauthenticated attackers to deactivate products via ...
CVE-2023-2894
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the processbulkdeactivateproduct function. This makes it possible for unauthenticated attackers to bulk deactivate...
PT-2023-17537 · WordPress · The Announcement & Notification Banner – Bulletin
Name of the Vulnerable Software and Affected Versions: The Announcement & Notification Banner – Bulletin plugin for WordPress versions up to, and including, 3.7.0 Description: The issue allows unauthenticated attackers to modify the plugin's settings, modify bulletins, create new bulletins, and...
WordPress Plugin WP Activity Log 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...
CVE-2023-3052
The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azhaddpost', 'azhduplicatepost', 'azhupdatepost' and 'azhremovepost' functions. This makes it possibl...
PT-2023-19387 · Vcita · The Event Registration Calendar By Vcita
Name of the Vulnerable Software and Affected Versions: The Event Registration Calendar By vcita plugin versions up to and including 3.9.1 Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress affected versions not specified Description: The issue is due to missing nonce...
PT-2023-3775 · Fatek Automation · Fvdesigner
Name of the Vulnerable Software and Affected Versions: Fatek Automation FvDesigner affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations of Fatek Automation FvDesigner. User interaction is required to exploit this...
The vulnerability of the user_list_backend.php script in the Piwigo content management system allows attackers to carry out SQL injection attacks.
The vulnerability of the userlistbackend.php script in the Piwigo content management system is related to the lack of validation for the consistency of XML objects. Exploiting this vulnerability allows a malicious actor to carry out attacks based on SQL injections...
CVE-2023-2886
Missing Origin Validation in WebSockets vulnerability in CBOT Chatbot allows Content Spoofing Via Application API Manipulation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7...
CVE-2023-23303
The Toybox.Ant.GenericChannel.enableEncryption API method in CIQ API version 3.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. A malicious application could call the API method with specially crafted object and hijack the...
PT-2023-2951 · Cscape · Cscape Envision Rv +1
Name of the Vulnerable Software and Affected Versions: Cscape EnvisionRV affected versions not specified Cscape affected versions not specified Description: The issue is related to a lack of proper validation of user-supplied data when parsing font files, such as FNT. This can lead to an...