CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-11185 – WP Live Chat Support Pro <= 8.0.26 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2019-11185
The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension. • https://wordpress.org/plugins/wp-live-chat-support/#developers https://wp-livechat.com https://wpvulndb.com/vulnerabilities/9320 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-9913 – WP Live Chat Support <= 8.0.17 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9913
The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS. El plugin wp-live-chat-support, en versiones anteriores a la 8.0.18 para WordPress, tiene Cross-Site Scripting (XSS) en term en wp-admin/admin.php?page=wplivechat-menu-gdpr-page. WordPress WP Live Chat plugin version 8.0.18 suffers from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2019/Mar/42 https://lists.openwall.net/full-disclosure/2019/02/05/14 https://security-consulting.icu/blog/2019/02/wordpress-wp-livechat-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18460 – WP Live Chat Support <= 8.0.15 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18460
XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request. Existe Cross-Site Scripting (XSS) en el plugin wp-live-chat-support v8.0.15 para WordPress mediante el parámetro term en modules/gdpr.php en una petición wplivechat-menu-gdpr-page en wp-admin/admin.php. • https://github.com/rakjong/vuln/blob/master/wordpress_wp-live-chat-support_XSS.pdf https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14905
https://notcve.org/view.php?id=CVE-2018-14905
The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter. El servidor web en 3CX 15.5.8801.3 es vulnerable a Cross-Site Scripting (XSS) reflejado en el parámetro TimeZoneName en api/CallLog. • https://medium.com/stolabs/security-issues-on-3cx-web-service-d9dc7f1bea79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14906
https://notcve.org/view.php?id=CVE-2018-14906
The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on all stack traces' propertyPath parameters. El servidor web en 3CX 15.5.8801.3 es vulnerable a Cross-Site Scripting (XSS) reflejado en todos los parámetros propertyPath de las trazas de pila. • https://medium.com/stolabs/security-issues-on-3cx-web-service-d9dc7f1bea79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •