CVE-2022-48426
In JetBrains TeamCity before 2022.10.3 stored XSS in Perforce connection settings was possible
Source: CVE-2022-48426
[월:] 2023년 03월
CVE-2020-36666
CVE-2020-36666
The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-membership WordPress plugin before 1.5.7, sold by the same developer (e-plugins), do not implementing any security measures in some AJAX calls. For example in the file plugin.php, the function iv_directories_update_profile_setting() uses update_user_meta with any data provided by the ajax call, which can be used to give the logged in user admin capabilities. Since the plugins allow user registration via a custom form (even if the blog does not allow users to register) it makes any site using it vulnerable.
Source: CVE-2020-36666
CVE-2023-0272
CVE-2023-0272
The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Source: CVE-2023-0272
CVE-2022-48429
CVE-2022-48429
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible
Source: CVE-2022-48429
CVE-2023-1144
CVE-2023-1144
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
Source: CVE-2023-1144
CVE-2023-1143
CVE-2023-1143
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
Source: CVE-2023-1143
CVE-2023-1659
CVE-2023-1659
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Source: CVE-2023-1659
CVE-2023-22707
CVE-2023-22707
Auth. (author+) Cross-Site Scripting (XSS) vulnerability in Wpsoul Greenshift – animation and page builder blocks plugin <= 4.9.9 versions.
Source: CVE-2023-22707
CVE-2023-27296
CVE-2023-27296
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422
Source: CVE-2023-27296
CVE-2023-1655
CVE-2023-1655
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.
Source: CVE-2023-1655