CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25975 – Publify - Stored Cross-Site Scripting (XSS) due to Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2021-25975
In publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file. En publify, versiones v8.0 a v9.2.4, son vulnerables a un ataque de tipo XSS almacenado como resultado de una subida de archivos sin restricciones. Este problema permite a un usuario con rol de "publisher" inyectar JavaScript malicioso por medio del archivo html subido • https://github.com/publify/publify/commit/d99c0870d3dbbfde7febdc6cad33199b84770101 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25974 – Publify - Stored Cross-Site Scripting (XSS) in Editor
https://notcve.org/view.php?id=CVE-2021-25974
In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article. En Publify, versiones v8.0 a v9.2.4, son vulnerables a un ataque de tipo XSS almacenado. Un usuario con un rol "publisher" es capaz de inyectar y ejecutar código JavaScript arbitrario mientras crea una página/artículo • https://github.com/publify/publify/commit/fefd5f76302adcc425b2b6e7e7d23587cfc0083e https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25974 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25973 – Publify - Improper Authorization Leads to Guest Signup Restriction Bypass
https://notcve.org/view.php?id=CVE-2021-25973
In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only. En Publify, versiones 9.0.0.pre1 a 9.2.4, son vulnerables a un Control de Acceso Inapropiado. Los usuarios con rol "guest" pueden auto registrarse incluso cuando el administrador no lo permite. • https://github.com/publify/publify/commit/3447e0241e921b65f6eb1090453d8ea73e98387e https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25973 • CWE-285: Improper Authorization CWE-669: Incorrect Resource Transfer Between Spheres •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3211
https://notcve.org/view.php?id=CVE-2014-3211
Publify before 8.0.1 is vulnerable to a Denial of Service attack Publify versiones anteriores a 8.0.1, es vulnerable a un ataque de Denegación de Servicio. • https://hackmysystems.tumblr.com/post/85475092711/denial-of-service-in-publify-cve-2014-3211 • CWE-400: Uncontrolled Resource Consumption •