4 results (0.008 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The 'WordPress RSS Aggregator' WordPress Plugin, versions < 4.23.9 are affected by a Cross-Site Scripting (XSS) vulnerability due to the lack of sanitization of the  'notice_id'  GET parameter. El complemento 'WordPress RSS Aggregator' de WordPress, versiones &lt;4.23.9, se ven afectados por una vulnerabilidad de Cross Site Scripting (XSS) debido a la falta de sanitización del parámetro GET 'notice_id'. The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'notice_id' parameter in all versions up to, and including, 4.23.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://www.tenable.com/security/research/tra-2024-16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.3EPSS: 2%CPEs: 1EXPL: 1

RSS-aggregator 1.0 does not require administrative authentication for the admin/fonctions/ directory, which allows remote attackers to access admin functions and have unspecified other impact, as demonstrated by (1) an IdFlux request to supprimer_flux.php and (2) a TpsRafraich request to modifier_tps_rafraich.php. RSS-aggregator 1.0 no requiere autentificación de administración para el directorio admin/fonctions/, lo que permite a atacantes remotos acceder a funciones de administración y tener otros impactos no especificados, como se demostró por (1) una petición IdFlux a supprimer_flux.php y (2) una petición TpsRafraich a modifier_tps_rafraich.php. • https://www.exploit-db.com/exploits/32003 http://securityreason.com/securityalert/3975 http://www.securityfocus.com/archive/1/493783/100/0/threaded http://www.securityfocus.com/bid/30016 https://exchange.xforce.ibmcloud.com/vulnerabilities/43509 • CWE-287: Improper Authentication •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2

Multiple SQL injection vulnerabilities in RSS-aggregator 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) IdFlux parameter to admin/fonctions/supprimer_flux.php and the (2) IdTag parameter to admin/fonctions/supprimer_tag.php. Múltiples vulerabilidades de inyección SQL en RSS-aggregator 1.0, permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) IdFlux a admin/fonctions/supprimer_flux.php y (2) IdTag a admin/fonctions/supprimer_tag.php. • https://www.exploit-db.com/exploits/32001 https://www.exploit-db.com/exploits/32002 http://securityreason.com/securityalert/3975 http://www.securityfocus.com/archive/1/493783/100/0/threaded http://www.securityfocus.com/bid/30016 https://exchange.xforce.ibmcloud.com/vulnerabilities/43507 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 9.3EPSS: 6%CPEs: 1EXPL: 1

PHP remote file inclusion vulnerability in display.php in RSS-aggregator allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inclusión de archivo PHP remoto en display.php de RSS-aggregator permite a atacantes remotos ejecutar código PHP arbitrario mediante un URL en el parámetro path. NOTA: algunos de estos detalles se ha obtenido de información de terceros. • https://www.exploit-db.com/exploits/5900 http://secunia.com/advisories/30768 http://www.securityfocus.com/archive/1/493650/100/0/threaded http://www.securityfocus.com/bid/29873 https://exchange.xforce.ibmcloud.com/vulnerabilities/43283 • CWE-94: Improper Control of Generation of Code ('Code Injection') •