CVE

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Internet Marketing Dojo WP Affiliate Links plugin <= 0.1.1 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions.

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Team Heateor Super Socializer plugin <= 7.13.52 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Vadym K. Extra User Details plugin <= 0.5 versions.

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 3.0.5 versions.

The CMS Commander plugin for WordPress is vulnerable to authorization bypass due to the use of an insufficiently unique cryptographic signature on the 'cmsc_add_site' function in versions up to, and including, 2.287. This makes it possible for unauthenticated attackers to the plugin to change the '_cmsc_public_key' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. This can only be exploited if the plugin has not been configured yet, however, if combined with another arbitrary plugin installation and activation vulnerability, the impact can be severe.

The WP Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation in the ~/admin/views/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Missing permission checks in Jenkins Team Concert Plugin 2.4.1 and earlier allow attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications.