CVE-2017-18600

The formcraft3 plugin before 3.4 for WordPress has stored XSS via the "New Form > Heading > Heading Text" field.

Source: CVE-2017-18600

CVE-2017-18601

The examapp plugin 1.0 for WordPress has XSS via exam input text fields.

Source: CVE-2017-18601

CVE-2017-18603

The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter.

Source: CVE-2017-18603

CVE-2017-18599

The Pinfinity theme before 2.0 for WordPress has XSS via the s parameter.

Source: CVE-2017-18599

CVE-2017-18596

The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.

Source: CVE-2017-18596

CVE-2017-18597

The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL Injection via the admin/class-jtrt-responsive-tables-admin.php tableId parameter.

Source: CVE-2017-18597

CVE-2017-18598

The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php.

Source: CVE-2017-18598

CVE-2019-16192

upload_model() in /admini/controllers/system/managemodel.php in DocCms 2016.5.17 allow remote attackers to execute arbitrary PHP code through module management files, as demonstrated by a .php file in a ZIP archive.

Source: CVE-2019-16192

CVE-2019-6791

An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control (issue 3 of 3). When a project with visibility more permissive than the target group is imported, it will retain its prior visibility.

Source: CVE-2019-6791

CVE-2019-7176

An issue was discovered in GitLab Community and Enterprise Edition 8.x (starting in 8.9), 9.x, 10.x, and 11.x before 11.5.9, 11.6.x before 11.6.7, and 11.7.x before 11.7.2. It has Incorrect Access Control. Guest users are able to add reaction emojis on comments to which they have no visibility.

Source: CVE-2019-7176