CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49224 – WordPress Mitm Bug Tracker plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-49224
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mahesh Patel Mitm Bug Tracker allows Reflected XSS.This issue affects Mitm Bug Tracker: from n/a through 1.0. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Mahesh Patel Mitm Bug Tracker permite XSS reflejado. Este problema afecta a Mitm Bug Tracker: desde n/a hasta 1.0. The Mitm Bug Tracker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/mitm-bug-tracker/wordpress-mitm-bug-tracker-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2045 – Session 1.17.5 - LFR via chat attachment
https://notcve.org/view.php?id=CVE-2024-2045
Session version 1.17.5 allows obtaining internal application files and public files from the user's device without the user's consent. This is possible because the application is vulnerable to Local File Read via chat attachments. La versión de sesión 1.17.5 permite obtener archivos de aplicaciones internas y archivos públicos del dispositivo del usuario sin el consentimiento del usuario. Esto es posible porque la aplicación es vulnerable a la lectura de archivos locales a través de archivos adjuntos del chat. • https://fluidattacks.com/advisories/newman https://github.com/oxen-io/session-android • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-25052 – Catalyst-Plugin-Session Session ID Session.pm _load_sessionid cross site scripting
https://notcve.org/view.php?id=CVE-2018-25052
A vulnerability has been found in Catalyst-Plugin-Session up to 0.40 and classified as problematic. This vulnerability affects the function _load_sessionid of the file lib/Catalyst/Plugin/Session.pm of the component Session ID Handler. The manipulation of the argument sid leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.41 is able to address this issue. • https://github.com/perl-catalyst/Catalyst-Plugin-Session/commit/88d1b599e1163761c9bd53bec53ba078f13e09d4 https://github.com/perl-catalyst/Catalyst-Plugin-Session/releases/tag/0.41 https://vuldb.com/?ctiid.216958 https://vuldb.com/?id.216958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39287 – Plaintext transmission of CSRF tokens in tiny-csrf
https://notcve.org/view.php?id=CVE-2022-39287
tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue. tiny-csrf es un middleware de protección contra ataques de tipo cross site request forgery (CSRF) de Node.js. • https://github.com/valexandersaulys/tiny-csrf/commit/8eead6da3b56e290512bbe8d20c2c5df3be317ba https://github.com/valexandersaulys/tiny-csrf/security/advisories/GHSA-pj2c-h76w-vv6f • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24880 – Potential Captcha Validate Bypass in flask-session-captcha
https://notcve.org/view.php?id=CVE-2022-24880
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function would return `None` if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Version 1.2.1 fixes the issue. Users can workaround the issue by not explicitly checking that the value is False. • https://github.com/Tethik/flask-session-captcha/commit/2811ae23a38d33b620fb7a07de8837c6d65c13e4 https://github.com/Tethik/flask-session-captcha/pull/27 https://github.com/Tethik/flask-session-captcha/releases/tag/v1.2.1 https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45 • CWE-253: Incorrect Check of Function Return Value CWE-394: Unexpected Status Code or Return Value CWE-754: Improper Check for Unusual or Exceptional Conditions •