Security
Headlines
HeadlinesLatestCVEs

Tag

#php

phpFK 9.2 Beta Cross Site Scripting / SQL Injection

phpFK version 9.2 Beta suffers from cross site scripting and remote SQL injection vulnerabilities.

Packet Storm
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#apple#google#ubuntu#linux#debian#cisco#java#php#perl#auth#ruby#firefox
AngularJS Filemanager 1.5.1 Shell Upload

AngularJS Filemanager version 1.5.1 suffers from a remote shell upload vulnerability.

Aplikasi Sistem Informasi Kelulusan CMS 1.0.9 Remote File Inclusion

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a remote file inclusion vulnerability.

Amazon S3 Droppy 1.4.6 Shell Upload

Amazon S3 Droppy version 1.4.6 suffers from a remote shell upload vulnerability.

CVE-2021-4399: Changeset 2478642 for edwiser-bridge – WordPress Plugin Repository

The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), connection_test_initiater(), admin_menus(), and subscribe_handler() function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2021-4397: Changeset 2548539 for staff-directory-pro – WordPress Plugin Repository

The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2021-4400: Changeset 2473344 for better-search – WordPress Plugin Repository

The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_settings_export() functions. This makes it possible for unauthenticated attackers to import and export settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2021-4401: Changeset 2473676 for analogwp-templates/trunk/inc/class-quick-edit.php – WordPress Plugin Repository

The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2021-4405: Changeset 2473455 for elasticpress/trunk/includes/classes/Feature/Autosuggest/Autosuggest.php – WordPress Plugin Repository

The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.