2 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Marcel Pol Elo Rating Shortcode allows Stored XSS.This issue affects Elo Rating Shortcode: from n/a through 1.0.3. The Elo Rating Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/elo-rating-shortcode/wordpress-elo-rating-shortcode-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1

There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before 10.18.040 in ELO ELOenterprise 9 and 10 and ELOprofessional 9 and 10 that makes it possible to read all database content. The vulnerability exists in the ticket HTTP GET parameter. For example, one can succeed in reading the password hash of the administrator user in the "userdata" table from the "eloam" database. Hay una vulnerabilidad de inyección SQL ciega basada en tiempo en el componente Access Manager en versiones anteriores a la 9.18.040 y las versiones 10.x anteriores a la 10.18.040 en ELO ELOenterprise 9 y 10 y ELOprofessional 9 y 10 que posibilita leer todo el contenido de la base de datos. La vulnerabilidad existe en el parámetro HTTP GET ticket. • http://seclists.org/fulldisclosure/2018/Jul/29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •