CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3333 – Zephyr Project Manager REST Call cross site scripting
https://notcve.org/view.php?id=CVE-2022-3333
A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.2.5 is able to address this issue. • https://vuldb.com/?id.209370 https://wpscan.com/vulnerability/bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed • CWE-707: Improper Neutralization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2839 – Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
https://notcve.org/view.php?id=CVE-2022-2839
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. El plugin Zephyr Project Manager de WordPress versiones anteriores a 3.2.55, no dispone de autorización ni de CSRF en todas sus acciones AJAX, lo que permite a usuarios no autenticados llamarlas directamente o por medio de ataques de tipo CSRF. Además, debido a una falta de saneo y escape, también podría permitirles llevar a cabo ataques de tipo Cross-Site Scripting Almacenado contra administradores conectados The Zephyr Project Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check and lack of authentication/authorization on its AJAX endpoints in versions up to 3.2.55. This makes it possible for unauthenticated attackers to utilize them. • https://wpscan.com/vulnerability/82e01f95-81c2-46d8-898e-07b3b8a3f8c9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 3CVE-2022-2840 – Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-2840
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections El plugin Zephyr Project Manager de WordPress versiones anteriores a 3.2.5, no sanea ni escapa de varios parámetros antes de usarlos en sentencias SQL por medio de varias acciones AJAX disponibles para usuarios autenticados y no autenticados, conllevando a inyecciones SQL The Zephyr Project Manager plugin for WordPress is vulnerable to SQL Injection via several parameters in versions up to, and including, 3.2.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. WordPress Zephyr Project Manager plugin version 3.2.42 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/51024 http://packetstormsecurity.com/files/168652/WordPress-Zephyr-Project-Manager-3.2.42-SQL-Injection.html https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1822 – Zephyr Project Manager <= 3.2.40 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1822
The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El plugin Zephyr Project Manager para WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio del parámetro "project" en versiones hasta la 3.2.40 incluyéndola, debido a un saneo insuficiente de la entrada y escape de la salida. Esto hace posible que los atacantes no autenticados inyecten scripts web arbitrarios en las páginas que son ejecutadas si pueden engañar con éxito a un usuario para que lleve a cabo una acción como hacer clic en un enlace • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2727947%40zephyr-project-manager&new=2727947%40zephyr-project-manager&sfp_email=&sfph_mail= https://wordpress.org/plugins/zephyr-project-manager/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/22d50526-e21f-412d-9eed-b9b1f48c3358?source=cve https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1822 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •