CyberAlerts

CVE-2024-28142

Description: Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins. This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10637

Kadence Blocks < 3.2.54 - Admin+ Stored XSS

Description: The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10568

Ajax Search Lite < 4.12.4 - Admin+ Stored XSS

Description: The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10518

ProfilePress < 4.15.15 - Admin+ Stored XSS

Description: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10517

ProfilePress < 4.15.15 - Admin+ Stored XSS

Description: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10499

AI-Engine < 2.6.5 - Admin+ SQLi

Description: The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10043

Incorrect Authorization in GitLab

Description: An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.

CVSS: LOW (3.1)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-10010

LearnPress < 4.2.7.2 - Admin+ Stored XSS

Description: The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2023-39599

Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings...

Description: Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings parameter.

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2023-34666

Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or...

Description: Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or HTML via the admin username parameter.

CVSS: LOW (0.0)

EPSS Score: 0.11%

Source: CVE

December 13th, 2024 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-28142	Stored cross site scripting Description: Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins. This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10637	Kadence Blocks < 3.2.54 - Admin+ Stored XSS Description: The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10568	Ajax Search Lite < 4.12.4 - Admin+ Stored XSS Description: The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10518	ProfilePress < 4.15.15 - Admin+ Stored XSS Description: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10517	ProfilePress < 4.15.15 - Admin+ Stored XSS Description: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10499	AI-Engine < 2.6.5 - Admin+ SQLi Description: The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10043	Incorrect Authorization in GitLab Description: An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure. CVSS: LOW (3.1) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2024-10010	LearnPress < 4.2.7.2 - Admin+ Stored XSS Description: The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 13th, 2024 (4 months ago)
CVE-2023-39599	Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings... Description: Cross-Site Scripting (XSS) vulnerability in CSZ CMS v.1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Social Settings parameter. CVSS: LOW (0.0) EPSS Score: 0.06% Source: CVE December 13th, 2024 (4 months ago)
CVE-2023-34666	Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or... Description: Cross-site scripting (XSS) vulnerability in Phpgurukul Cyber Cafe Management System 1.0 allows remote attackers to inject arbitrary web script or HTML via the admin username parameter. CVSS: LOW (0.0) EPSS Score: 0.11% Source: CVE December 13th, 2024 (4 months ago)