CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24408 – Prismatic < 2.8 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24408
21 Jun 2021 — The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. El plugin Prismatic de WordPress versione... • https://wpscan.com/vulnerability/51855853-e7bd-425f-802c-824209f4f84d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24409 – Prismatic < 2.8 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24409
21 Jun 2021 — The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator El plugin Prismatic WordPress anterior a versión 2.8, no escapa el parámetro "tab" GET antes de devolverlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado que será ejecutado en el contexto de un administrador conectado • https://wpscan.com/vulnerability/ae3cd3ed-aecd-4d8c-8a2b-2936aaaef0cf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2020-26097
https://notcve.org/view.php?id=CVE-2020-26097
18 Nov 2020 — The firmware of the PLANET Technology Corp NVR-915 and NVR-1615 before 2020-10-28 embeds default credentials for root access via telnet. By exposing telnet on the Internet, remote root access on the device is possible. NOTE: This vulnerability only affects products that are no longer supported by the maintainer El firmware de PLANET Technology Corp NVR-915 y NVR-1615 antes del 28-10-2020 incorpora credenciales predeterminadas para el acceso root por medio de telnet. Al exponer telnet en Internet, es po... • https://www.sec-research.com/1604584604-hard-coded-credentials-in-netzwerk-videorekorder-planet-nvr-915.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2019-25138 – User Submitted Posts <= 20190312 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2019-25138
02 May 2019 — The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-user-submitted-posts-plugin • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2016-11001 – User Submitted Posts < 20160215 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-11001
10 Feb 2016 — The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field. El plugin user-submitted-posts versiones anteriores a 20160215 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del campo user-submitted-content. • https://wordpress.org/plugins/user-submitted-posts/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7463
https://notcve.org/view.php?id=CVE-2014-7463
19 Oct 2014 — The IM5 Fans Planet (aka uk.co.pixelkicks.im5) application 2.3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación para Android IM5 Fans Planet (también conocido como uk.co.pixelkicks.im5) 2.3.1 no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener información sensible a través de un ... • http://www.kb.cert.org/vuls/id/284969 • CWE-310: Cryptographic Issues •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7035
https://notcve.org/view.php?id=CVE-2014-7035
16 Oct 2014 — The Harmonizers Planet (aka uk.co.pixelkicks.fifthharmony) application 2.3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación para Android Harmonizers Planet (también conocida como uk.co.pixelkicks.fifthharmony) 2.3.4 no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener información ... • http://www.kb.cert.org/vuls/id/582497 • CWE-310: Cryptographic Issues •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-6694
https://notcve.org/view.php?id=CVE-2014-6694
24 Sep 2014 — The 5SOS Family Planet (aka uk.co.pixelkicks.fivesos) application 2.3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación 5SOS Family Planet 2.3.4 (también conocida como uk.co.pixelkicks.fivesos) para Android no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y obtener información sensible ... • http://www.kb.cert.org/vuls/id/582497 • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2007-4477
https://notcve.org/view.php?id=CVE-2007-4477
22 Aug 2007 — The administration interface in the Planet VC-200M VDSL2 router allows remote attackers to cause a denial of service (administration interface outage) via an HTTP request without a Host header. La interfaz de administración del enrutador Planet VC-200M VDSL2 permite a atacantes remotos provocar una denegación de servicio (parada de la interfaz de administración) mediante una petición HTTP sin la cabecera Host. • http://secunia.com/advisories/26559 •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 3CVE-2006-3676
https://notcve.org/view.php?id=CVE-2006-3676
21 Jul 2006 — admin/gallery_admin.php in planetGallery before 14.07.2006 allows remote attackers to execute arbitrary PHP code by uploading files with a double extension and directly accessing the file in the images directory, which bypasses a regular expression check for safe file types. admin/gallery_admin.php en planetGallery anterior a 14.07.2006 permite a atacantes remotos ejecutar código PHP de su elección a través de la actualización de archivos con una doble extensión y accedidos directamente en el directorio de ... • http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0434.html •