CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37512 – WordPress NEX-Forms – Ultimate Form Builder plugin <= 8.5.10 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37512
05 Jul 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Basix NEX-Forms – Ultimate Form Builder allows Stored XSS.This issue affects NEX-Forms – Ultimate Form Builder: from n/a through 8.5.10. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Basix NEX-Forms – Ultimate Form Builder permite XSS almacenado. Este problema afecta a NEX-Forms – Ultimate Form Builder: desde n/a hasta... • https://patchstack.com/database/vulnerability/nex-forms-express-wp-form-builder/wordpress-nex-forms-ultimate-form-builder-plugin-8-5-10-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30527 – WordPress WP Express Checkout plugin <= 2.3.7 - Price Manipulation vulnerability
https://notcve.org/view.php?id=CVE-2024-30527
29 Mar 2024 — Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.This issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7. Vulnerabilidad de validación incorrecta de la cantidad especificada en la entrada en Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) permite manipular campos ocultos. Este problema afecta a WP Express Checkout (Accept PayPal Payments): desde... • https://patchstack.com/database/vulnerability/wp-express-checkout/wordpress-wp-express-checkout-plugin-2-3-7-price-manipulation-vulnerability?_s_id=cve • CWE-348: Use of Less Trusted Source CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52555
https://notcve.org/view.php?id=CVE-2023-52555
01 Mar 2024 — In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection. En mongo-express 1.0.2, /admin permite CSRF, como lo demuestra la eliminación de una colección. • https://github.com/mongo-express/mongo-express/issues/1338 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25593 – WordPress NEX-Forms plugin <= 8.5.5 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-25593
12 Feb 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms – Ultimate Form Builder allows Stored XSS.This issue affects NEX-Forms – Ultimate Form Builder: from n/a through 8.5.5. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Basix NEX-Forms – Ultimate Form Builder permite almacenar XSS. Este problema afecta a NEX-Forms – Ultimate Form Builder: desde n/a hasta 8.5.5. The NEX... • https://patchstack.com/database/vulnerability/nex-forms-express-wp-form-builder/wordpress-nex-forms-plugin-8-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 2CVE-2022-21169 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2022-21169
26 Sep 2022 — The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization. El paquete express-xss-sanitizer versiones anteriores a 1.1.3, es vulnerable a una Contaminación de Prototipos por medio del atributo allowedTags, permitiendo al atacante omitir el saneo de tipo xss. • https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27261
https://notcve.org/view.php?id=CVE-2022-27261
12 Apr 2022 — An arbitrary file write vulnerability in Express-FileUpload v1.3.1 allows attackers to upload multiple files with the same name, causing an overwrite of files in the web application server. Una vulnerabilidad de escritura de archivos arbitrarios en Express-FileUpload versión v1.3.1, permite a atacantes subir varios archivos con el mismo nombre, causando una sobreescritura de archivos en el servidor de la aplicación web • https://www.npmjs.com/package/express-fileupload • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-27140
https://notcve.org/view.php?id=CVE-2022-27140
12 Apr 2022 — An arbitrary file upload vulnerability in the file upload module of express-fileupload 1.3.1 allows attackers to execute arbitrary code via a crafted PHP file. NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed). Una vulnerabilidad de carga de archivos arbitraria en el módulo de carga de archivos de E... • https://github.com/richardgirges/express-fileupload/issues/312#issuecomment-1134912967 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41317
https://notcve.org/view.php?id=CVE-2021-41317
17 Sep 2021 — XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths. XSS Hunter Express versiones anteriores al 17-09-2021, no aplica apropiadamente los requisitos de autenticación para las rutas • https://docs.google.com/document/d/12rq4YIFZLSmZlEsq7d7hYCI1qO5xyIxA1Wrs1m4y9-4/preview • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-22403
https://notcve.org/view.php?id=CVE-2020-22403
12 Aug 2021 — Cross Site Request Forgery (CSRF) vulnerability in Express cart v1.1.16 allows attackers to add an administrator account, add discount code or other unspecified impacts. El paquete express-cart versiones hasta 1.1.10 para Node.js, permite un ataque de tipo CSRF. • https://github.com/mrvautin/expressCart/issues/120 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 1%CPEs: 3EXPL: 2CVE-2021-21422 – XSS Vulnerability in mongo-express
https://notcve.org/view.php?id=CVE-2021-21422
21 Jun 2021 — mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2: Data cells identified as media will be rendered as media, without being sanitized. Example of different renders: image, audio, video, etc. As an example of type 1 attack, ... • https://github.com/mongo-express/mongo-express/commit/f5e0d4931f856f032f22664b5e5901d5950cfd4b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •