CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1818 – Multi-page Toolkit <= 2.6 - Arbitrary Settings Update to Stored XSS via CSRF
https://notcve.org/view.php?id=CVE-2022-1818
30 May 2022 — The Multi-page Toolkit WordPress plugin through 2.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well El plugin Multi-page Toolkit de WordPress versiones hasta 2.6, no presenta una comprobación de tipo CSRF cuando es actualizada su configuración, lo que podría permitir a atacantes hacer que un administrador conectado los ... • https://wpscan.com/vulnerability/9d6c628f-cdea-481c-a2e5-101dc167718d • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 2CVE-2020-15228 – Environment Variable Injection in GitHub Actions
https://notcve.org/view.php?id=CVE-2020-15228
01 Oct 2020 — In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the `set-env` and `add-path` workflow commands in the near future. For now, users shou... • https://github.com/guettli/fix-CVE-2020-15228 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-9149
https://notcve.org/view.php?id=CVE-2017-9149
22 May 2017 — Metadata Anonymisation Toolkit (MAT) 0.6 and 0.6.1 silently fails to perform "Clean metadata" actions upon invocation from the Nautilus contextual menu, which allows context-dependent attackers to obtain sensitive information by reading a file for which cleaning had been attempted. Metadata Anonymisation Toolkit (MAT) versiones 0.6 y 0.6.1, silenciosamente no puede realizar acciones de "Clean metadata" a partir de la invocación desde el menú contextual de Nautilus, que permite a los atacantes dependiendo de... • https://0xacab.org/mat/mat/commit/8f6303a1f26fe8dad83ba96ab8328dbdfa3af59a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5508
https://notcve.org/view.php?id=CVE-2015-5508
18 Aug 2015 — Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the "administer ncip providers" permission for requests that alter NCIP providers via a crafted request. Vulnerabilidad CSRF en el módulo XC NCIP Provider en el eXtensible Catalog (XC) Drupal Toolkit, permite a atacantes remotos secuestrar la autenticación de usuarios con los permisos de 'administer ncip providers' par... • http://www.openwall.com/lists/oss-security/2015/07/04/4 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-4548 – Ruven Toolkit <= 2.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4548
12 Jun 2014 — Cross-site scripting (XSS) vulnerability in tinymce/popup.php in the Ruven Toolkit plugin 1.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the popup parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo tinymce/popup.php en el plugin Ruven Toolkit versión 1.1 y anteriores para WordPress, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro popup. • http://codevigilant.com/disclosure/wp-plugin-ruven-toolkit-a3-cross-site-scripting-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •