CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27425 – WordPress Electric Studio Client Login Plugin <= 0.8.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-27425
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in James Irving-Swift Electric Studio Client Login plugin <= 0.8.1 versions. The Electric Studio Client Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/electric-studio-client-login/wordpress-electric-studio-client-login-plugin-0-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0073 – Client Logo Carousel <= 3.0.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0073
The Client Logo Carousel WordPress plugin through 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Client Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/e5599968-a435-405a-8829-9840a2144987 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43657
https://notcve.org/view.php?id=CVE-2021-43657
A Stored Cross-site scripting (XSS) vulnerability via MAster.php in Sourcecodetester Simple Client Management System (SCMS) 1.0 allows remote attackers to inject arbitrary web script or HTML via the vulnerable input fields. • https://github.com/c0n5n3d/CVE-2021-43657 https://github.com/c0n5n3d/CVE-2021-43657/blob/main/Info.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23507 – Light client verification not taking into account chain ID
https://notcve.org/view.php?id=CVE-2022-23507
Tendermint is a high-performance blockchain consensus engine for Byzantine fault tolerant applications. Versions prior to 0.28.0 contain a potential attack via Improper Verification of Cryptographic Signature, affecting anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes). The light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client. The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks. • https://github.com/informalsystems/tendermint-rs/security/advisories/GHSA-xqqc-c5gw-c5r5 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39397 – Exposure of sensitive information in aliyun-oss-client
https://notcve.org/view.php?id=CVE-2022-39397
aliyun-oss-client is a rust client for Alibaba Cloud OSS. Users of this library will be affected, the incoming secret will be disclosed unintentionally. This issue has been patched in version 0.8.1. aliyun-oss-client es un cliente rust para Alibaba Cloud OSS. Los usuarios de esta librería se verán afectados y el secreto entrante se revelará sin querer. Este problema se solucionó en la versión 0.8.1. • https://github.com/tu6ge/oss-rs/commit/e4553f7d74fce682d802f8fb073943387796df29 https://github.com/tu6ge/oss-rs/security/advisories/GHSA-3w3h-7xgx-grwc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •