The events-manager plugin before 5.6 for WordPress has code injection.

CVE-2015-9298: Events Manager

Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.

SGSA 162019-03-19When Cross Cluster Search (CCS) is enabled, authenticated users can gain read access to data they are not authorized to seeUpdate6.x-24.3floragunnSGSA 152018-12-13Field caps and mapping API leak field names (not values) for fields which are not allowed for the user because FLS was activatedUpdate6.x-24.0floragunnSGSA 142018-12-13Values of string arrays in data are not properly anonymizedUpdate6.x-24.0floragunnSGSA 132018-03-19Possible URL injection on login page when basePath is setUpdateKibana plugin 6.x-16floragunnSGSA 122018-08-24REST API leak password hashes (not cleartext) for users endpointUpdate6.x-23.1Thorsten Lutz, SySS GmbHSGSA 112018-09-14For aggregations, clear text values of anonymised fields were leakedUpdate6.x-23.1floragunnSGSA 102018-01-18Password dependent timing side channel in AuthCredentialsUpdate6.x-21.0@madblobfishSGSA 92018-04-09A Kibana user could impersonate as kibanaserver user when providing wrong credentialsUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Guy MollerSGSA 82018-04-04Redirect and XSS vulnerability in Kibana pluginUpdateKibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12Vineet KumarSGSA 7n/a2017-08-10DLS/FLS leaking information when multitenancy module is installed and “do not fail on forbidden” is activatedUpdate or deactivate “do not fail on forbidden”SG v15Guy MollerSGSA 6n/a2017-02-13FLS/DLS not working for regex index patternsUpdate or avoid regex patternsSG v11 and DLS/FLS module v6Guy MollerSGSA 5n/a2017-01-13Auditlog does not log all security relevant eventsUpdateSG V10Guy MollerSGSA 4n/a2017-01-05FLS/DLS not working for index patternsUpdateSG v10 and DLS/FLS module v5Matej ZerovnikSGSA 3n/a2016-11-27Wrong permissions resolution for certain index/type combinationsUpdate6.x-23.1Lucas BremgartnerSGSA 2n/a2016-11-25DLS not picked up when getting documents by IDUpdateSG v9 and DLS/FLS module v5Fabio CornetiSGSA 1n/a2016-07-28Authentication cache lead to password hashcode vulnerabilityUpdateSG V4Vladimir Gordiychuk

CVE-2019-13418: CVE - advisory - Search Guard

The ultimate-member plugin before 1.3.18 for WordPress has XSS via text input.

CVE-2015-9304: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

The simple-membership plugin before 3.5.7 for WordPress has XSS.

CVE-2017-18499: Simple Membership

The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.

CVE-2017-18508: 3CX Free Live Chat

The wp-ultimate-csv-importer plugin before 3.8.1 for WordPress has XSS.

CVE-2015-9306: Import All Pages, Post types, Products, Orders, and Users as XML & CSV

The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress allows email subscription XSS.

CVE-2019-14799: FV Flowplayer Video Player

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter.

CVE-2019-14787: Newsletters

The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF.

CVE-2019-14683: Import and export users and customers

A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

**

Summary

**

*   A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected system.
    
    The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    This advisory is available at the following link:  
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-fmc-xss
    

**

Affected Products

**

*   At the time of publication, this vulnerability affected Cisco Firepower Management Center if it was running a release earlier than Release 6.4.0.
    
    See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
    

**

Workarounds

**

*   There are no workarounds that address this vulnerability.
    

**

Fixed Software

**

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, Cisco Firepower Management Center releases 6.4.0 and later contained the fix for this vulnerability.
    
    See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    

**

Exploitation and Public Announcements

**

*   The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
    

**

Source

**

*   This vulnerability was found by Sanmith Prakash of Cisco during internal security testing.
    

**

Cisco Security Vulnerability Policy

**

*   To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
    

**

Action Links for This Advisory

**

**

Related to This Advisory

**

**

URL

**

**

Revision History

**

*   Version
    
    Description
    
    Section
    
    Status
    
    Date
    
    1.1
    
    Updated Source information.
    
    Source
    
    Final
    
    2019-August-21
    
    1.0
    
    Initial public release.
    
    \-
    
    Final
    
    2019-August-07
    
    Show Less
    

**

Legal Disclaimer

**

*   THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
    
    A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
    

**

Feedback

**

Tag

#perl