1app Technologies, Inc Security Vulnerabilities

CVE-2023-23900

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in YIKES, Inc. Easy Forms for Mailchimp plugin <= 6.8.8...

CVE-2021-4244

A vulnerability classified as problematic has been found in yikes-inc-easy-mailchimp-extender Plugin up to 6.8.5. This affects an unknown part of the file admin/partials/ajax/add_field_to_form.php. The manipulation of the argument field_name/merge_tag/field_type/list_id leads to cross site...

CVE-2023-2518

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2023-4925

The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2023-1323

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape some of its from parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite.....

CVE-2023-1324

The Easy Forms for Mailchimp WordPress plugin before 6.8.8 does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2023-1325

The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2017-17688

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an...

Session Fixation

@workos-inc/authkit-nextjs vulnerable to Session Fixation. This vulnerability is due to the improper handling of expired sessions within session.ts. This allowing an attacker to reuse an expired session by controlling the x-workos-session...

@workos-inc/authkit-nextjs session replay vulnerability

Impact A user can reuse an expired session by controlling the x-workos-session header. Patches Patched in...

@workos-inc/authkit-nextjs session replay vulnerability

Impact A user can reuse an expired session by controlling the x-workos-session header. Patches Patched in...

7-Technologies AQUIS Detection

AQUIS is installed on the remote Windows host. It is a tool developed by 7-Technologies for hydraulic modeling of a water...

RealFlex Technologies RealWin Detection

RealWin, a SCADA server package from RealFlex Technologies to monitor and control real-time applications, is installed on the remote Windows...

7-Technologies TERMIS Detection

TERMIS is installed on the remote Windows host. It is a tool developed by 7-Technologies for hydraulic modeling of an energy...

CVE-2024-28519

A kernel handle leak issue in ProcObsrvesx.sys 4.0.0.49 in MicroWorld Technologies Inc eScan Antivirus could allow privilege escalation for low-privileged...

Code Insert Manager (Q2W3 Inc Manager) <= 2.5.3 - Reflected Cross-Site Scripting

Description The Code Insert Manager (Q2W3 Inc Manager) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

DerbyNet 9.0 inc/kisosks.inc Cross Site Scripting

...

Exploit for Vulnerability in Rarlab Winrar

CVE-2023-38831 PoC (Proof Of Concept) This is an easy to use...

Trading Technologies Messaging (ttm_cmd) Detection

The remote host is listening for Trading Technologies Messaging (TTM) ttm_cmd connections. TTM is used as middleware by all TT machines to communicate across the network (whether LAN or WAN), route TT communication via WAN Routing, and broadcast server...

Code Injection Vulnerability in Citrix NetScaler ADC and NetScaler Gateway

NetScaler ADC is an application delivery controller. NetScaler Gateway is an access gateway with an SSL VPN solution that provides single sign-on and authentication for remote end users of network assets. Both are Citrix products. A code injection vulnerability exists in Citrix NetScaler ADC and...

Keysight Technologies Sensor Management Server Detection

The Keysight Sensor Management Server (SMS), a component of the Keysight RF Sensor Software, is running on the remote...

7-Technologies / Schneider-Electric IGSS Detection

IGSS (Interactive Graphical SCADA System) is installed on the remote Windows host. It is a SCADA system for process control and supervision developed by 7-Technologies /...

7-Technologies IGSS < 9.0.0.11129 Multiple DoS Vulnerabilities

The installed version of IGSS from 7-Technologies is earlier than 9.0.0.11129 and is, therefore, reportedly affected by several denial of service vulnerabilities. Using specially crafted packets to the IGSSdataServer service listening on TCP port 12401 or the dc.exe service on TCP port 12397, an...

CVE-2023-36088

Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio version 3.7.0, allows remote attackers to gain sensitive...

7-Technologies IGSS < 10.0.0 ODBC Buffer Overflow RCE

The 7-Technologies / Schneider-Electric Interactive Graphical SCADA System (IGSS) application installed on the remote Windows host is a version prior to 10.0.0. It is, therefore, affected by a stack-based buffer overflow condition in the ODBC service due to improper sanitization of user-supplied...

CVE-2023-45281

An issue in Yamcs 5.8.6 allows attackers to obtain the session cookie via upload of crafted HTML...

7-Technologies IGSS < 9.0.0.11143 ODBC Invalid Structure RCE

The 7-Technologies / Schneider-Electric Interactive Graphical SCADA System (IGSS) application installed on the remote Windows host is a version prior to 9.0.0.11143. It is, therefore, affected by a memory corruption issue in the ODBC service due to improper sanitization of user-supplied input. An.....

7-Technologies / Schneider-Electric IGSS Data Collector Detection

The Interactive Graphical SCADA System (IGSS) Data Collector 'dc.exe' is running on the remote Windows host. It is an IGSS system component developed by 7-Technologies /...

7-Technologies / Schneider-Electric IGSS ODBC Version Identification

A 7-Technologies / Schneider-Electric Interactive Graphical SCADA System (IGSS) service is running on the remote Windows host, specifically Odbcixv#se.exe, an IGSS system ODBC component. Here the '#' token represents the version number of the executable, which can...

7-Technologies / Schneider-Electric IGSS ODBC Service Detection

A 7-Technologies / Schneider-Electric Interactive Graphical SCADA System (IGSS) service is running on the remote Windows host, specifically Odbcixvse.exe, an IGSS system ODBC component. Here the '' token represents the version number of the executable, which can...

CVE-2023-45884

Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the flexibleLayout...

7-Technologies IGSS < 9.0.0.11143 ODBC Remote Memory Corruption

The installed version of IGSS from 7-Technologies is earlier than 9.0.0.11143. As such, it potentially has a memory corruption error in the Open Database Connectivity (ODBC) component listening on TCP port 20222. Using specially crafted packets, an unauthenticated, remote attacker could leverage...

CVE-2023-45885

Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout...

CVE-2024-4398

The HTML5 Audio Player- Best WordPress Audio Player Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

7-Technologies IGSS < 9.0.0.11291 DLL Loading Arbitrary Code Execution

The installed version of IGSS from 7-Technologies is earlier than 9.0.0.11291 and is, therefore, potentially affected by an insecure DLL loading vulnerability. Attackers may exploit this issue by placing a specially crafted DLL file and another file associated with the application in a location...

CVE-2023-45280

Yamcs 5.8.6 allows XSS (issue 2 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload an HTML file containing arbitrary JavaScript and then navigate to it. Once the user opens the file, the browser will execute the...

CVE-2023-45277

Yamcs 5.8.6 is vulnerable to directory traversal (issue 1 of 2). The vulnerability is in the storage functionality of the API and allows one to escape the base directory of the buckets, freely navigate system directories, and read arbitrary...

CVE-2024-4362

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 1.60.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible....

inc-conso.fr Cross Site Scripting vulnerability OBB-3872425

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Keysight Technologies Sensor Management Server Deserialization RCE (CVE-2022-1660)

The Keysight Sensor Management Server (SMS) running on the remote host is affected by a Java object deserialization vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code in the context of the account running the Keysight SMS....

Future of eCommerce: Emerging Technologies Shaping Online Retail in 2024

By Uzair Amir Top-notch stores are moving online as eCommerce continues to lead with breakthrough innovations that are transforming global business… This is a post from HackRead.com Read the original post: Future of eCommerce: Emerging Technologies Shaping Online Retail in...

CVE-2023-45279

Yamcs 5.8.6 allows XSS (issue 1 of 2). It comes with a Bucket as its primary storage mechanism. Buckets allow for the upload of any file. There's a way to upload a display referencing a malicious JavaScript file to the bucket. The user can then open the uploaded display by selecting Telemetry from....

CVE-2023-45278

Directory Traversal vulnerability in the storage functionality of the API in Yamcs 5.8.6 allows attackers to delete arbitrary files via crafted HTTP DELETE...

CVE-2024-2088

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract...

7-Technologies AQUIS Unspecified Path Subversion Arbitrary DLL Injection Code Execution

The installed version of 7-Technologies AQUIS on the remote Windows host is 1.5 dated October 13, 2011 or earlier. As such, it insecurely looks in its current working directory when resolving DLL dependencies. Attackers may exploit this issue by placing a specially crafted DLL file and another...

Keysight Technologies Sensor Management Server addLicenseFile Path Traversal (CVE-2022-38129)

The Keysight Sensor Management Server (SMS) running on the remote host is affected by a path traversal vulnerability. An unauthenticated, remote attacker can exploit this, via specially crafted messages, to upload and run arbitrary executable files in the context of the account running the...

CVE-2023-5706

The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-2618

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-1415

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.9. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers....

CVE-2024-1416

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke....