CVSS: 5.4EPSS: 5%CPEs: 4EXPL: 3CVE-2019-16223 – WordPress Core < 5.2.3 - Authenticated Cross-Site Scripting via Post Previews
https://notcve.org/view.php?id=CVE-2019-16223
05 Sep 2019 — WordPress before 5.2.3 allows XSS in post previews by authenticated users. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en las vistas previas de publicaciones por parte de usuarios autenticados. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache,... • https://packetstorm.news/files/id/160745 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 0CVE-2018-19296 – Ubuntu Security Notice USN-5956-2
https://notcve.org/view.php?id=CVE-2018-19296
16 Nov 2018 — PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. PHPMailer en versiones anteriores a la 5.2.27 y versiones 6.x anteriores a la 6.0.6 es vulnerable a un ataque de inyección de objetos. Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. • https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •