CVE-2024-51639 – WordPress Naver Blog plugin <= 1.0 - CSRF to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-51639
Cross-Site Request Forgery (CSRF) vulnerability in Hints Naver Blog allows Stored XSS.This issue affects Naver Blog: from n/a through 1.0. The Naver Blog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/naver-blog-api/wordpress-naver-blog-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-25632
https://notcve.org/view.php?id=CVE-2023-25632
The Android Mobile Whale browser app before 3.0.1.2 allows the attacker to bypass its browser unlock function via 'Open in Whale' feature. La aplicación de navegador Android Mobile Whale anterior a 3.0.1.2 permite al atacante eludir la función de desbloqueo del navegador mediante la función "Abrir en Whale". • https://cve.naver.com/detail/cve-2023-25632.html • CWE-284: Improper Access Control CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2023-0146 – Naver Map <= 1.1.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0146
The Naver Map WordPress plugin through 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Naver Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page • https://wpscan.com/vulnerability/d1218c69-4f6a-4b2d-a537-5cc16a46ba7b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24077
https://notcve.org/view.php?id=CVE-2022-24077
Naver Cloud Explorer Beta allows the attacker to execute arbitrary code as System privilege via malicious DLL injection. Naver Cloud Explorer Beta permite al atacante ejecutar código arbitrario como privilegio del sistema por medio de una inyección de DLL maliciosa • https://cve.naver.com/detail/cve-2022-24077.html • CWE-269: Improper Privilege Management CWE-427: Uncontrolled Search Path Element •
CVE-2021-33592
https://notcve.org/view.php?id=CVE-2021-33592
NAVER Toolbar before 4.0.30.323 allows remote attackers to execute arbitrary code via a crafted upgrade.xml file. Special characters in filename parameter can be the cause of bypassing code signing check function. NAVER Toolbar versiones anteriores a 4.0.30.323, permite a atacantes remotos ejecutar código arbitrario por medio de un archivo upgrade.xml diseñado. Los caracteres especiales en el parámetro filename pueden ser la causa de la omisión de la función de comprobación de la firma del código • https://cve.naver.com/detail/cve-2021-33592 • CWE-20: Improper Input Validation •