CyberAlerts

CVE-2023-1166

Description: The USM-Premium WordPress plugin before 16.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE

November 28th, 2024 (6 months ago)

CVE-2023-0873

Kanban Boards for WordPress < 2.5.21 - Admin+ Stored XSS

Description: The Kanban Boards for WordPress plugin before 2.5.21 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE

November 28th, 2024 (6 months ago)

CVE-2023-0588

Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Reflected XSS

Description: The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

CVSS: LOW (0.0)

EPSS Score: 0.08%

Source: CVE

November 28th, 2024 (6 months ago)

CVE-2023-34849

Description: An unauthorized command injection vulnerability exists in the ActionLogin function of the webman.lua file in Ikuai router OS through 3.7.1.

CVSS: LOW (0.0)

EPSS Score: 1.1%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-29220

Description: Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product.

CVSS: LOW (0.0)

EPSS Score: 0.05%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-27186

[20240803] - Core - XSS in HTML Mail Templates

Description: The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-27184

[20240801] - Core - Inadequate validation of internal URLs

Description: Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not..

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-26337

Description: swftools v0.9.2 was discovered to contain a segmentation violation via the function s_font at swftools/src/swfc.c.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-22117

Value of sysmap_element_url can be de-synchronized causing the map element to crash when new URLs is added

Description: When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element.

CVSS: LOW (2.2)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-21726

[20240205] - Core - Inadequate content filtering within the filter code

Description: Inadequate content filtering leads to XSS vulnerabilities in various components.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

November 27th, 2024 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2023-1166	USM Premium < 16.3 - Admin+ Stored XSS Description: The USM-Premium WordPress plugin before 16.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). CVSS: LOW (0.0) EPSS Score: 0.06% Source: CVE November 28th, 2024 (6 months ago)
CVE-2023-0873	Kanban Boards for WordPress < 2.5.21 - Admin+ Stored XSS Description: The Kanban Boards for WordPress plugin before 2.5.21 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) CVSS: LOW (0.0) EPSS Score: 0.06% Source: CVE November 28th, 2024 (6 months ago)
CVE-2023-0588	Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Reflected XSS Description: The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin. CVSS: LOW (0.0) EPSS Score: 0.08% Source: CVE November 28th, 2024 (6 months ago)
CVE-2023-34849	Description: An unauthorized command injection vulnerability exists in the ActionLogin function of the webman.lua file in Ikuai router OS through 3.7.1. CVSS: LOW (0.0) EPSS Score: 1.1% Source: CVE November 27th, 2024 (6 months ago)
CVE-2024-29220	Description: Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product. CVSS: LOW (0.0) EPSS Score: 0.05% Source: CVE November 27th, 2024 (6 months ago)
CVE-2024-27186	[20240803] - Core - XSS in HTML Mail Templates Description: The mail template feature lacks an escaping mechanism, causing XSS vectors in multiple extensions. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE November 27th, 2024 (6 months ago)
CVE-2024-27184	[20240801] - Core - Inadequate validation of internal URLs Description: Inadequate validation of URLs could result into an invalid check whether an redirect URL is internal or not.. CVSS: LOW (0.0) EPSS Score: 0.06% Source: CVE November 27th, 2024 (6 months ago)
CVE-2024-26337	Description: swftools v0.9.2 was discovered to contain a segmentation violation via the function s_font at swftools/src/swfc.c. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE November 27th, 2024 (6 months ago)
CVE-2024-22117	Value of sysmap_element_url can be de-synchronized causing the map element to crash when new URLs is added Description: When a URL is added to the map element, it is recorded in the database with sequential IDs. Upon adding a new URL, the system retrieves the last sysmapelementurlid value and increments it by one. However, an issue arises when a user manually changes the sysmapelementurlid value by adding sysmapelementurlid + 1. This action prevents others from adding URLs to the map element. CVSS: LOW (2.2) EPSS Score: 0.04% Source: CVE November 27th, 2024 (6 months ago)
CVE-2024-21726	[20240205] - Core - Inadequate content filtering within the filter code Description: Inadequate content filtering leads to XSS vulnerabilities in various components. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE November 27th, 2024 (6 months ago)