3 results (0.003 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-51586 – WordPress Elementary Addons plugin <= 2.0.4 - Stored Cross Site Scripting (XSS) vulnerability

https://notcve.org/view.php?id=CVE-2024-51586

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BRAFT Elementary Addons allows Stored XSS.This issue affects Elementary Addons: from n/a through 2.0.4. The Elementary Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/elementary-addons/wordpress-elementary-addons-plugin-2-0-4-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-21367 – Incorrect Authorization in switchboard-plug-bluetooth

https://notcve.org/view.php?id=CVE-2021-21367

Switchboard Bluetooth Plug for elementary OS from version 2.3.0 and before version version 2.3.5 has an incorrect authorization vulnerability. When the Bluetooth plug is running (in discoverable mode), Bluetooth service requests and pairing requests are automatically accepted, allowing physically proximate attackers to pair with a device running an affected version of switchboard-plug-bluetooth without the active consent of the user. By default, elementary OS doesn't expose any services via Bluetooth that allow information to be extracted by paired Bluetooth devices. However, if such services (i.e. contact list sharing software) have been installed, it's possible that attackers have been able to extract data from such services without authorization. If no such services have been installed, attackers are only able to pair with a device running an affected version without authorization and then play audio out of the device or possibly present a HID device (keyboard, mouse, etc...) to control the device. • https://github.com/elementary/switchboard-plug-bluetooth/commit/86500e645a907538abafe5225b67cc12c03e7645 https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.3.5 https://github.com/elementary/switchboard-plug-bluetooth/security/advisories/GHSA-5p3g-j69g-w2mq https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV7WKO5SZHTF3QEMX4WZ576HRECIG6VQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O7TCGM4B45VLUJDCE5PHFYA5KBNHD4RA https://lists.fedoraproject • CWE-863: Incorrect Authorization •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2

CVE-2017-17608 – Child Care Script 1.0 - 'city' SQL Injection

https://notcve.org/view.php?id=CVE-2017-17608

Child Care Script 1.0 has SQL Injection via the /list city parameter. Child Care Script 1.0 tiene una inyección SQL mediante el parámetro city en /list. • https://www.exploit-db.com/exploits/43271 https://packetstormsecurity.com/files/145294/Child-Care-Script-1.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •