Auto Generated CVE annotations [Fri Mar 31 16:11:22 UTC 2023] 🤖
parent
8612267a77
commit
1a5385a40f
|
@ -6,11 +6,12 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.
|
||||
remediation: Fixed in version 1.4.14.
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/8d436356-37f8-455e-99b3-effe8d0e3cad
|
||||
- https://wordpress.org/plugins/spider-event-calendar/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2015-2196
|
||||
- http://www.exploit-db.com/exploits/36061
|
||||
remediation: Fixed in version 1.4.14.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
|
|
@ -6,10 +6,16 @@ info:
|
|||
severity: medium
|
||||
description: |
|
||||
Pie Register < 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue.
|
||||
remediation: Fixed in version 3.7.0.1
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/f1b67f40-642f-451e-a67a-b7487918ee34
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24239
|
||||
- https://plugins.trac.wordpress.org/changeset/2507536/
|
||||
remediation: Fixed in version 3.7.0.1
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2021-24239
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,xss,pie-register,wp,wpscan
|
||||
|
|
|
@ -6,11 +6,12 @@ info:
|
|||
severity: critical
|
||||
description: |
|
||||
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
|
||||
remediation: Fixed in version 3.5.6
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fb4d7988-60ff-4862-96a1-80b1866336fe
|
||||
- https://wordpress.org/plugins/podlove-podcasting-plugin-for-wordpress/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2021-24666
|
||||
- https://github.com/podlove/podlove-publisher/commit/aa8a343a2e2333b34a422f801adee09b020c6d76
|
||||
remediation: Fixed in version 3.5.6
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
|
@ -18,7 +19,7 @@ info:
|
|||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2021,sqli,wordpress,wp-plugin,wp,podlove-podcasting-plugin-for-wordpress
|
||||
tags: cve2021,sqli,wordpress,wp-plugin,wp,podlove-podcasting-plugin-for-wordpress,wpscan,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -9,14 +9,15 @@ info:
|
|||
reference:
|
||||
- https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-1058
|
||||
- https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-1058
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: title:"Gitea"
|
||||
verified: "true"
|
||||
tags: cve,cve2022,open-redirect,gitea
|
||||
|
||||
requests:
|
||||
|
|
|
@ -3,7 +3,7 @@ id: CVE-2022-23898
|
|||
info:
|
||||
name: MCMS IContentDao.xml. v5.2.5 - SQL Injection
|
||||
author: Co5mos
|
||||
severity: high
|
||||
severity: critical
|
||||
description: |
|
||||
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.
|
||||
reference:
|
||||
|
@ -16,9 +16,9 @@ info:
|
|||
cve-id: CVE-2022-23898
|
||||
cwe-id: CWE-89
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: http.favicon.hash:1464851260
|
||||
fofa-query: icon_hash="1464851260"
|
||||
shodan-query: http.favicon.hash:1464851260
|
||||
verified: "true"
|
||||
tags: cve,cve2022,sqli,mcms
|
||||
|
||||
variables:
|
||||
|
|
|
@ -6,20 +6,21 @@ info:
|
|||
severity: medium
|
||||
description: |
|
||||
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.
|
||||
remediation: Fixed in 0.5.4.1
|
||||
reference:
|
||||
- https://huntr.dev/bounties/95e7c181-9d80-4428-aebf-687ac55a9216/
|
||||
- https://github.com/kareadita/kavita
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-2756
|
||||
- https://github.com/kareadita/kavita/commit/9c31f7e7c81b919923cb2e3857439ec0d16243e4
|
||||
remediation: Fixed in 0.5.4.1
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
||||
cvss-score: 6.5
|
||||
cve-id: CVE-2022-2756
|
||||
cwe-id: CWE-918
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: title:"kavita"
|
||||
tags: cve,cve2022,ssrf,kavita,authenticated
|
||||
verified: "true"
|
||||
tags: ssrf,kavita,authenticated,huntr,cve,cve2022
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -18,7 +18,7 @@ info:
|
|||
cwe-id: CWE-552
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2022,wp-plugin,wordpress,wp,lfi,unauthenticated,usc-e-shop
|
||||
tags: usc-e-shop,wpscan,cve,cve2022,wp-plugin,wp,wordpress,lfi,unauthenticated
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -8,15 +8,16 @@ info:
|
|||
kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-46934
|
||||
- https://github.com/kekingcn/kkFileView/issues/411
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-46934
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: http.html:"kkFileView"
|
||||
tags: cve,cve2022,xss,xss
|
||||
verified: "true"
|
||||
tags: xss,cve,cve2022
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -3,15 +3,21 @@ id: CVE-2022-48012
|
|||
info:
|
||||
name: Opencats v0.9.7 - Cross Site Scripting
|
||||
author: r3Y3r53
|
||||
severity: high
|
||||
severity: medium
|
||||
description: |
|
||||
Opencats v0.9.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /opencats/index.php?m=settings&a=ajax_tags_upd.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2022-48012
|
||||
- https://github.com/Sakura-501/Opencats-0.9.7-Vulnerabilities
|
||||
- https://github.com/Sakura-501/Opencats-0.9.7-Vulnerabilities/blob/main/Opencats-0.9.7-Reflected%20XSS%20in%20onChangeTag.md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2022-48012
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: title:"opencats"
|
||||
verified: "true"
|
||||
tags: cve,cve2022,xss,opencats,authenticated
|
||||
|
||||
requests:
|
||||
|
|
|
@ -6,16 +6,19 @@ info:
|
|||
severity: medium
|
||||
description: |
|
||||
Pie Register < 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability
|
||||
remediation: |
|
||||
Fixed in version 3.8.2.3
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/832c6155-a413-4641-849c-b98ba55e8551
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-0552
|
||||
remediation: |
|
||||
Fixed in version 3.8.2.3
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 5.4
|
||||
cve-id: CVE-2023-0552
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2023,redirect,pie,pie-register
|
||||
tags: cve2023,redirect,pie,pie-register,wpscan,cve
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
|
|
@ -10,10 +10,16 @@ info:
|
|||
- https://wpscan.com/vulnerability/71aa9460-6dea-49cc-946c-d7d4bf723511
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-0942
|
||||
- https://wordpress.org/plugins/woocommerce-for-japan/
|
||||
- https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/trunk/includes/admin/views/html-admin-setting-screen.php#L63
|
||||
remediation: Fixed in version 2.5.5
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-0942
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2023,xss,woocommerce-for-japan,woocommerce,wp,plugin,wordpress,authenticated
|
||||
tags: cve2023,woocommerce-for-japan,wp,wpscan,wordpress,authenticated,cve,xss,woocommerce,plugin
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -6,16 +6,20 @@ info:
|
|||
severity: medium
|
||||
description: |
|
||||
The plugin does not sanitise and escape some parameters ((such as email, dn, date and points) before outputting then back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
||||
remediation: Fixed in version 3.3.9.1
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/29008d1a-62b3-4f40-b5a3-134455b01595
|
||||
- https://wordpress.org/plugins/watu/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-0968
|
||||
- https://plugins.trac.wordpress.org/browser/watu/trunk/views/takings.php#L31
|
||||
remediation: Fixed in version 3.3.9.1
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-0968
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2023,wp,wp-plugin,wordpress,xss,watu,authenticated
|
||||
tags: wordpress,cve,cve2023,wp,wp-plugin,xss,watu,authenticated,wpscan
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -6,16 +6,20 @@ info:
|
|||
severity: medium
|
||||
description: |
|
||||
GN Publisher plugin < 1.5.6 vulnerable to Reflected Cross-Site Scripting via the tab parameter in versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping.
|
||||
remediation: Fixed in version 1.5.6
|
||||
reference:
|
||||
- https://wpscan.com/vulnerability/fcbcfb56-640d-4071-bc12-acac1b1e7a74
|
||||
- https://wordpress.org/plugins/gn-publisher/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-1080
|
||||
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8a4ee97c-63cd-4a5e-a112-6d4c4c627a57
|
||||
remediation: Fixed in version 1.5.6
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-1080
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: cve,cve2023,wp,wp-plugin,wordpress,xss,gn-publisher,authenticated
|
||||
tags: wp-plugin,wordpress,gn-publisher,authenticated,cve2023,wp,xss,wpscan,cve
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
|
@ -10,9 +10,14 @@ info:
|
|||
- https://census-labs.com/news/2023/03/16/reflected-xss-vulnerabilities-in-squidex-squidsvg-endpoint/
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-24278
|
||||
- https://www.openwall.com/lists/oss-security/2023/03/16/1
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-24278
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: http.favicon.hash:1099097618
|
||||
verified: "true"
|
||||
tags: cve,cve2023,xss,squidex,cms,unauth
|
||||
|
||||
requests:
|
||||
|
|
|
@ -9,9 +9,15 @@ info:
|
|||
reference:
|
||||
- https://github.com/mrojz/T24/blob/main/CVE-2023-24367.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-24367
|
||||
- https://github.com/mrojz/T24/blob/main/T24_XSS.md
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-24367
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: title:"T24 Sign in"
|
||||
verified: "true"
|
||||
tags: cve,cve2023,xss,temenos
|
||||
|
||||
requests:
|
||||
|
|
|
@ -9,9 +9,14 @@ info:
|
|||
reference:
|
||||
- https://github.com/phpipam/phpipam/issues/3738
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-24657
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-24657
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: html:"phpIPAM IP address management"
|
||||
verified: "true"
|
||||
tags: cve,cve2023,xss,phpipam,authenticated
|
||||
|
||||
requests:
|
||||
|
|
|
@ -8,9 +8,15 @@ info:
|
|||
PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php.
|
||||
reference:
|
||||
- https://github.com/AetherBlack/CVE/blob/main/PMB/readme.md
|
||||
- https://github.com/AetherBlack/CVE/tree/main/PMB
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-24733
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: http.favicon.hash:1469328760
|
||||
verified: "true"
|
||||
tags: cve,cve2023,unauth,xss,pmb
|
||||
|
||||
requests:
|
||||
|
|
|
@ -9,11 +9,15 @@ info:
|
|||
reference:
|
||||
- https://github.com/AetherBlack/CVE/blob/main/PMB/readme.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-24735
|
||||
- https://github.com/AetherBlack/CVE/tree/main/PMB
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-24735
|
||||
cwe-id: CWE-601
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: http.favicon.hash:1469328760
|
||||
verified: "true"
|
||||
tags: cve,cve2023,redirect,pmb
|
||||
|
||||
requests:
|
||||
|
|
|
@ -9,11 +9,15 @@ info:
|
|||
reference:
|
||||
- https://github.com/AetherBlack/CVE/blob/main/PMB/readme.md
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-24737
|
||||
- https://github.com/AetherBlack/CVE/tree/main/PMB
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 6.1
|
||||
cve-id: CVE-2023-24737
|
||||
cwe-id: CWE-79
|
||||
metadata:
|
||||
verified: "true"
|
||||
shodan-query: http.favicon.hash:1469328760
|
||||
verified: "true"
|
||||
tags: cve,cve2023,xss,pmb
|
||||
|
||||
requests:
|
||||
|
|
|
@ -9,11 +9,12 @@ info:
|
|||
- https://www.inspursystems.com/
|
||||
- https://github.com/MzzdToT/ClusterEngineV4.0sysShell_rce
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-21224
|
||||
- https://github.com/NS-Sp4ce/Inspur/tree/master/ClusterEngineV4.0%20Vul
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cwe-id: CWE-88
|
||||
cve-id: CVE-2020-21224
|
||||
cwe-id: CWE-88
|
||||
metadata:
|
||||
fofa-query: title="TSCEV4.0"
|
||||
tags: inspur,clusterengine,rce
|
||||
|
|
|
@ -13,7 +13,7 @@ info:
|
|||
- https://plugins.trac.wordpress.org/changeset?reponame=&new=2114019%40watu&old=2112579%40watu&
|
||||
metadata:
|
||||
verified: "true"
|
||||
tags: xss,watu,quiz,authenticated
|
||||
tags: watu,quiz,authenticated,wpscan,xss
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
|
|
Loading…
Reference in New Issue