CVE-2024-32797 – WordPress WP LinkedIn Auto Publish plugin <= 8.11 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32797
Missing Authorization vulnerability in Martin Gibson WP LinkedIn Auto Publish.This issue affects WP LinkedIn Auto Publish: from n/a through 8.11. Vulnerabilidad de autorización faltante en Martin Gibson WP LinkedIn Auto Publish. Este problema afecta a WP LinkedIn Auto Publish: desde n/a hasta 8.11. The WP LinkedIn Auto Publish plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_linkedin_autopublish_delete_all_linkedin_settings() function in versions up to, and including, 8.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the plugin's settings. • https://patchstack.com/database/vulnerability/wp-linkedin-auto-publish/wordpress-wp-linkedin-auto-publish-plugin-8-11-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2021-4264 – LinkedIn dustjs prototype pollution
https://notcve.org/view.php?id=CVE-2021-4264
A vulnerability was found in LinkedIn dustjs up to 2.x and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/linkedin/dustjs/commit/ddb6523832465d38c9d80189e9de60519ac307c3 https://github.com/linkedin/dustjs/issues/804 https://github.com/linkedin/dustjs/pull/805 https://github.com/linkedin/dustjs/releases/tag/v3.0.0 https://vuldb.com/?ctiid.216464 https://vuldb.com/?id.216464 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2022-2148 – LinkedIn Company Updates <= 1.5.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2148
The LinkedIn Company Updates WordPress plugin through 1.5.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin LinkedIn Company Updates de WordPress versiones hasta 1.5.3, no sanea ni escapa de su configuración, lo que permite a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/92214311-da6d-49a8-95c9-86f47635264f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-26722
https://notcve.org/view.php?id=CVE-2021-26722
LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar. LinkedIn Oncall versiones hasta 1.4.0, permite un ataque de tipo XSS reflejado por medio de /query debido al manejo inapropiado del mensaje "No results found for" en la barra de búsqueda • https://github.com/linkedin/oncall/issues/341 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-17580 – FS Linkedin Clone 1.0 - 'grid' / 'fid' / 'id' SQL Injection
https://notcve.org/view.php?id=CVE-2017-17580
FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter. FS Linkedin Clone 1.0 tiene una inyección SQL mediante el parámetro grid en group.php, el parámetro fid en profile.php; o el parámetro id en company_details.php • https://www.exploit-db.com/exploits/43249 https://packetstormsecurity.com/files/145307/FS-Linkedin-Clone-1.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •