CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-9382
https://notcve.org/view.php?id=CVE-2020-9382
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's {{#widget:}} parser function. Se detectó un problema en la extensión Widgets versiones hasta 1.4.0 para MediaWiki. Un saneamiento inapropiado del título permitió una ejecución de cualquier página wiki como un widget (como se definió mediante esta extensión) por medio de la función del analizador {{#widget:}} de MediaWiki. • https://gerrit.wikimedia.org/r/q/I953e060bc6994ffdba9f380c98173f53f8ca1ea8 https://phabricator.wikimedia.org/T245850 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6737
https://notcve.org/view.php?id=CVE-2015-6737
Cross-site scripting (XSS) vulnerability in the Widgets extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors involving base64 encoded content. Vulnerabilidad de XSS en la extensión Widgets para MediaWiki, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con contenidos codificados base64. • http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165193.html http://www.openwall.com/lists/oss-security/2015/08/12/6 http://www.openwall.com/lists/oss-security/2015/08/27/6 http://www.securityfocus.com/bid/76858 https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-August/000179.html https://security.gentoo.org/glsa/201510-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2015-9438 – Display Widgets <= 2.03 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9438
The display-widgets plugin before 2.04 for WordPress has XSS via the wp-admin/admin-ajax.php?action=dw_show_widget id_base, widget_number, or instance parameter. El plugin display-widgets versiones anteriores a 2.04 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro id_base, widget_number, o instance de wp-admin/admin-ajax.php?action=dw_show_widget. • http://cinu.pl/research/wp-plugins/mail_a7012199c9236754edd72786637e5d2d.html https://wordpress.org/plugins/display-widgets/#developers https://wpvulndb.com/vulnerabilities/8247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 8EXPL: 0CVE-2013-1973
https://notcve.org/view.php?id=CVE-2013-1973
The autocomplete callback in Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-rc1 does not properly handle node permissions, which allows remote authenticated users to obtain sensitive field values via unspecified vectors. La rellamada de autocompletar en Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) módulo 6.x-1.x anterior a 6.x-1.4 y 7.x-1.x anterior a 7.x-1.0-rc1 no maneja debidamente permisos de nodo, loque permite a usuarios remotos autenticados obtener valores de campos sensibles a través de vectores no especificados. • http://osvdb.org/92532 http://secunia.com/advisories/52996 https://drupal.org/node/1971848 https://drupal.org/node/1971856 https://drupal.org/node/1972976 • CWE-264: Permissions, Privileges, and Access Controls •