CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27851
https://notcve.org/view.php?id=CVE-2020-27851
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privileged role (Administrator, Editor, etc.). Múltiples vulnerabilidades de inyección HTML almacenadas en las funcionalidades de "poll" y "quiz" en un add-on de pago adicional de Rocketgenius Gravity Forms versiones anteriores a 2.4.21, permite a atacantes remotos inyectar código HTML arbitrario por medio de respuestas de encuestas o cuestionarios. Este código es interpretado por usuarios en un rol privilegiado (Administrador, Editor, etc.) • https://www.digital.security/advisories/cert-ds_advisory_cve-2020-27851.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27852
https://notcve.org/view.php?id=CVE-2020-27852
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.). Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en la funcionalidad survey en Rocketgenius Gravity Forms versiones anteriores a 2.4.21, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio de un campo de área de texto. Este código es interpretado por usuarios en un rol privilegiado (Administrador, Editor, etc.) • https://www.digital.security/advisories/cert-ds_advisory_cve-2020-27852.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27850
https://notcve.org/view.php?id=CVE-2020-27850
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.). Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado en la funcionalidad forms import en Rocketgenius Gravity Forms versiones anteriores a 2.4.21, permite a atacantes remotos inyectar un script web o HTML arbitrario por medio de la importación de un formulario GF. Este código es interpretado por usuarios en un rol privilegiado (Administrador, Editor, etc.) • https://www.digital.security/advisories/cert-ds_advisory_cve-2020-27850.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13764 – Gravityforms <= 2.4.8 - Information Exposure
https://notcve.org/view.php?id=CVE-2020-13764
common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call. El archivo common.php en el plugin Gravity Forms versiones anteriores a 2.4.9 para WordPress, puede filtrar contraseñas del hash porque la función user_pass no es considerada un caso especial para una llamada de $current_user-)get($property) . • https://docs.gravityforms.com/gravityforms-change-log https://github.com/wp-premium/gravityforms/compare/2.4.8...2.4.9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •