CVE Catalog

A local file inclusion vulnerability has been identified in the Recover Exit For WooCommerce plugin for WordPress, affecting all versions up to and including 1.0.3. The issue arises from inadequate validation and sanitization of the user-controlled 'tpf' POST parameter, which is used in an 'include()' path within the 'recover_exit()' function. This vulnerability allows unauthenticated attackers to perform path traversal and include unintended local PHP files, potentially leading to exposure of sensitive information and, in some cases, code execution.

A vulnerability exists in the 6Storage Rentals plugin for WordPress, affecting all versions up to and including 2.22.0. The issue arises from an authorization bypass that allows unauthenticated users to manipulate tenant information. This is achieved through the 'userId' parameter in the 'six_storage_get_user_info' and 'six_storage_update_profile' AJAX actions. The vulnerability stems from a lack of proper ownership verification, session binding, and nonce validation, enabling attackers to access and modify sensitive data such as names, email addresses, phone numbers, physical addresses, and Social Security numbers by sending crafted requests with specific 'userId' values.

A stored cross-site scripting vulnerability has been identified in the WP GDPR Cookie Consent plugin for WordPress, affecting versions through 1.0.0. The issue arises from inadequate capability and nonce checks in the handleAjaxCalls() function, poor input sanitization of the gdprConfig values, and a lack of output escaping in the generateCSS() function. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary scripts into pages, which are executed when users access the injected pages.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WP Meta Sort Posts plugin for WordPress, affecting all versions through 0.9. The issue arises from inadequate nonce validation in the 'msp-options.php' file, allowing unauthenticated attackers to manipulate the 'msp_loop_file' and 'msp_nav_location' settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WP Emoticon Rating plugin for WordPress, affecting all versions through 1.0.1. The vulnerability arises from inadequate nonce validation, allowing unauthenticated attackers to manipulate settings and inject malicious scripts by tricking a site administrator into clicking a link.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WpMobi plugin for WordPress, affecting all versions through 0.0.3. The issue arises from inadequate nonce validation in the handleSaveGeneralSettings function, allowing unauthenticated attackers to alter the plugin's General Settings. Exploitation involves injecting unescaped scripts into the administrator's browser via the app_name attribute. This is possible by tricking an admin into clicking a link, with the injected script executing even if the app_name value is invalid and not saved in the database, as the form reverts to the attacker-supplied value on validation failure.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WP Ultimate Map plugin for WordPress, affecting versions through 1.1. The issue arises from the absence of nonce validation in the 'process_init' function, which is triggered during the 'admin_init' action. This function saves various plugin settings, including zoom level and geographic focus, using the 'update_option' function. The vulnerability allows unauthenticated attackers to manipulate plugin settings and inject arbitrary scripts by exploiting the lack of validation and sanitization, particularly with the 'zoom-level' parameter.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the FastPicker WordPress plugin, specifically in the order management system for WooCommerce. This vulnerability affects all versions up to and including 1.0.2. The issue arises from inadequate nonce validation in the 'settingsPage' function, allowing unauthenticated attackers to manipulate the plugin's settings. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request, which could toggle webhook integration or alter API URLs.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the AJAX Report Comments plugin for WordPress, affecting all versions through 2.0.4. The issue arises from inadequate nonce validation in the rc_options_page function, allowing unauthenticated attackers to manipulate various plugin settings. This includes altering link text, message templates, comment thresholds, cookie durations, and notification email details. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.

A stored cross-site scripting vulnerability has been identified in the kk Blog Card plugin for WordPress, affecting all versions through 1.3. The issue arises from inadequate input sanitization and output escaping on the 'href' and 'type' attributes of the 'blog-card' shortcode. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary scripts into pages, which are executed when users access the affected content.

A stored cross-site scripting vulnerability has been identified in the Global Body Mass Index Calculator plugin for WordPress, affecting versions through 1.2. The issue arises from inadequate input sanitization and output escaping of user-supplied shortcode attributes in the 'GBMI_Calc_Widget::widget()' function. Shortcode attributes are directly extracted into local variables and then echoed without proper escaping into HTML style attributes and body context. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary scripts into pages, which are executed when users access the injected content.

A stored cross-site scripting vulnerability has been identified in the WP ApplicantStack Jobs Display plugin for WordPress, affecting all versions through 1.1.1. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with contributor-level access or higher to inject arbitrary scripts into pages. These scripts are executed when users access the compromised pages.

A stored cross-site scripting vulnerability has been identified in the RomanCart Ecommerce plugin for WordPress, affecting versions through 2.0.8. The issue arises from inadequate input sanitization and output escaping on user-supplied attributes within the 'romancart_button' shortcode. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary scripts into pages, which are executed when users access the affected page.

A stored cross-site scripting vulnerability has been identified in the Extra Settings for RocketChat plugin for WordPress, affecting versions through 0.1. The issue arises from inadequate input sanitization and output escaping in the 'rocketchat' shortcode's 'title' attribute. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary scripts into pages, which are executed when users access the affected page.

A vulnerability exists in the Helpfulcrowd Product Reviews plugin for WordPress, specifically in versions up to and including 1.2.9. The issue arises from an authorization bypass flaw that leverages PHP type juggling. The vulnerability is rooted in the 'helpfulcrowd_validate_token()' function, which improperly uses a loose comparison operator to validate the 'token' parameter. This flaw allows unauthenticated users to bypass token validation and manipulate plugin settings arbitrarily.

A stored cross-site scripting vulnerability has been identified in the ePaperFlip Publisher plugin for WordPress, affecting all versions through 1. This issue arises from inadequate input sanitization and output escaping on the 'publicationid' attribute of the 'epaperflip_embed' shortcode, allowing authenticated attackers with Contributor-level access and above to inject arbitrary scripts. These scripts execute when a user accesses the compromised page.

A permission control vulnerability has been identified in the file preview module of Huawei devices running HarmonyOS 6.1.0 or 6.0.0. This vulnerability could be exploited to affect the confidentiality of service.

A permission control vulnerability has been identified in the print module of Huawei HarmonyOS. This vulnerability affects versions HarmonyOS 6.1.0 and HarmonyOS 6.0.0. Successful exploitation may impact the integrity and confidentiality of services.

A permission control vulnerability has been identified in the clone module of Huawei HarmonyOS. This vulnerability affects versions HarmonyOS 6.1.0 and HarmonyOS 6.0.0. Successful exploitation may compromise service confidentiality.

A permission management vulnerability has been identified in the network management module of Huawei HarmonyOS. This vulnerability affects versions HarmonyOS 6.1.0 and HarmonyOS 6.0.0. Successful exploitation may impact service integrity.

A vulnerability exists in the Spring Framework within the Jackson JMS message converters, specifically in versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. In an untrusted JMS environment, these converters permit arbitrary class instantiation, potentially leading to unauthorized actions through gadget class deserialization.

A server-side request forgery (SSRF) vulnerability has been identified in Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18. The issue arises from incorrect host parsing in the UriComponentsBuilder, allowing applications that use this component to validate externally provided URL strings to be exploited.

A vulnerability allowing multipart request smuggling has been identified in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. This vulnerability affects applications using Spring MVC or Spring WebFlux that accept multipart requests and are protected by a Web Application Firewall (WAF) or proxy capable of parsing multipart requests and performing content-based checks. Under these conditions, an attacker could craft malicious multipart requests that bypass WAF or proxy defenses.

A vulnerability exists in Spring Framework's Expression Language (SpEL) evaluation logic, allowing arbitrary zero-argument method invocations. This issue arises even in restricted or read-only contexts, potentially enabling attackers to execute unintended application logic. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

A denial-of-service vulnerability has been identified in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. This vulnerability arises in applications that accept user-supplied Spring Expression Language (SpEL) expressions and cache the parsed expressions. When these conditions are met, an attacker can exploit the vulnerability by causing unbounded cache growth, leading to memory exhaustion and a denial-of-service condition after a high volume of processing, typically involving millions of evaluations.

A vulnerability exists in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48, all of which are no longer supported. Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions can be exploited to cause an Algorithmic Denial-of-Service (DoS). By crafting a specific expression, an attacker can induce excessive resource consumption during the evaluation process, leading to application degradation or unavailability.

A denial-of-service vulnerability has been identified in the Spring Framework, specifically in versions 5.3.0 through 5.3.48. This issue arises from an integer overflow in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this vulnerability by sending a specially crafted SpEL expression that causes excessive resource consumption, leading to a denial-of-service condition. Applications that accept and evaluate untrusted or user-controlled SpEL expressions are particularly vulnerable.

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Spring Framework's AntPathMatcher. This issue arises when an attacker can supply a pattern that is then used by methods such as match, matchStart, or extractUriTemplateVariables. The vulnerability is present in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48, including versions no longer supported.

A security bypass vulnerability has been identified in Spring WebFlux applications that use the Kotlin Router DSL. This issue affects Spring Framework versions 5.3.0 through 5.3.48, including versions no longer supported. The vulnerability arises when an application applies a filter that modifies the 'ServerRequest' before passing it to the next handler. In such cases, any security enhancements made to the request by the filter are ignored, and the original request is sent to the handler, undermining the intended security measures.

A cross-site scripting (XSS) vulnerability has been identified in Spring MVC applications that use user-supplied values in the 'cssClass', 'cssErrorClass', or 'cssStyle' attributes of JSP form tags. This issue allows for the injection of arbitrary HTML or JavaScript, potentially leading to XSS attacks. The vulnerability affects multiple versions of the Spring Framework, including 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

A cross-site scripting (XSS) vulnerability has been identified in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. This vulnerability arises from improper escaping in the 'JavaScriptUtils.javaScriptEscape()' function, which can lead to JavaScript code injection in the browser.

A vulnerability exists in Spring MVC and Spring WebFlux applications that configure a mapping for '/**' without an explicitly specified view name. This flaw allows an attacker to create a link that triggers a 302 redirect to an arbitrary external host using the 'redirect:' prefix. Additionally, in Spring MVC applications with the same conditions, internal redirects can be crafted using the 'forward:' prefix.

A path traversal vulnerability has been identified in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. This vulnerability affects applications using Spring MVC or Spring WebFlux that serve static resources from the file system and have versioned resource support enabled. Under these conditions, an attacker could send malicious requests to access files outside the designated resource directories.

A denial-of-service vulnerability has been identified in Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7. This vulnerability affects applications using Spring MVC or Spring WebFlux that serve static resources from the file system and have versioned resources support enabled. Under these conditions, an attacker can exploit the vulnerability by sending malicious requests that are slow to process, keeping HTTP connections occupied and potentially causing a denial-of-service condition on the application.

A vulnerability allowing information disclosure has been identified in Spring Framework's MVC and WebFlux applications. This issue arises when static resources are resolved, potentially exposing protected resources. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

A denial-of-service vulnerability has been identified in Spring WebFlux applications that process multipart requests. This issue affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. The vulnerability can be exploited by sending malicious multipart requests that leak memory, potentially leading to a denial-of-service condition in the application.

A session fixation vulnerability has been identified in Spring Framework's WebFlux applications. This issue arises when a subdomain is compromised, potentially through cross-site scripting (XSS). The vulnerability allows an attacker to exchange a known session ID for that of an authenticated user, leading to unauthorized access. Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

A vulnerability exists in the Spring Framework's WebSocket module, where session IDs are not cryptographically secure, potentially leading to exploitation when combined with weak authorization rules. This issue affects Spring Framework versions 7.0.0 to 7.0.7, 6.2.0 to 6.2.18, 6.1.0 to 6.1.27, and 5.3.0 to 5.3.48.

A vulnerability exists in Spring LDAP versions 2.4.0 through 2.4.4, 3.2.0 through 3.2.17, 3.3.0 through 3.3.7, and 4.0.0 through 4.0.3. The issue arises in the DirContextAuthenticationStrategy implementations, which fail to reject bind requests that contain a non-empty username paired with an empty or null password. This oversight allows an attacker to bypass password verification on LDAP servers that accept such unauthenticated binds, exploiting the vulnerability through AbstractContextSource, LdapTemplate, or LdapClient.

A vulnerability exists in the Reactor Netty HTTP client, versions 1.0.0 prior to 1.0.51, 1.1.0 prior to 1.1.35, 1.2.0 prior to 1.2.17, and 1.3.0 prior to 1.3.5. In certain scenarios where HTTP redirects occur from a secure to an insecure endpoint, the client may unintentionally expose credentials. This issue arises only if the HTTP client is explicitly set to follow redirects.

A denial-of-service vulnerability has been identified in Spring Retry versions 2.0.0 through 2.0.12 and 1.3.0 through 1.3.4. This issue arises when stateful retries are enabled, and the cache keys for these retries are controlled by the attacker. Exploitation involves sending a large number of unique requests that trigger failures, filling the application-wide stateful retry cache. Once the cache is full, it permanently rejects further updates, causing subsequent stateful retries and circuit breakers to fail.

A heap exhaustion vulnerability has been identified in Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3. This vulnerability arises from an unbounded static cache that stores StringLinkRelation instances, indexed by attacker-supplied strings. The issue affects applications that deserialize hypermedia from untrusted sources, such as through a @RequestBody linked to RepresentationModel, EntityModel, or CollectionModel, or by processing client-supplied Link headers.

A vulnerability exists in Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3. The issue arises in the internal PropertyUtils.createObjectFromProperties method, which is used by the Collection+JSON and UBER media type deserializers. This method performs bean property binding through reflection without considering Jackson access-control annotations. As a result, applications that have enabled the COLLECTION_JSON or UBER hypermedia type, expose a controller accepting a RepresentationModel subclass or EntityModel as @RequestBody, and whose bound model type has a setter for a security-sensitive property only protected by Jackson annotations, are vulnerable.

A denial-of-service vulnerability has been identified in Micrometer's HTTP server instrumentations. Affected users can send specially crafted HTTP requests that lead to a DoS condition. This issue arises in applications using vulnerable versions of 'micrometer-core', 'micrometer-jetty11', or 'micrometer-jetty12', when the HTTP server instrumentations from these artifacts are active and metrics are being recorded.

A denial-of-service vulnerability has been identified in Micrometer versions 1.16.0 through 1.16.5 and 1.15.0 through 1.15.11. The issue arises when a user sends specially crafted gRPC requests that can disrupt service. An application is vulnerable if it uses affected Micrometer versions, has an ObservationRegistry that records observations, and is configured to output metrics from observations via the DefaultMeterObservationHandler or a custom observation handler. Additionally, the application must use the ObservationGrpcServerInterceptor to instrument its gRPC server.

A missing authorization vulnerability in QNAP QuMagie has been reported, allowing remote attackers to access unauthorized data or perform unauthorized actions. This vulnerability affects versions prior to QuMagie 2.9.0.

A use-after-free vulnerability has been identified in tmux versions through 3.6a. The issue arises in the 'image_free' function within 'image.c', where improper management of image data linked to the Sixel graphics protocol can lead to memory corruption. This vulnerability requires local access to exploit and is characterized by high complexity. When the global image count limit is exceeded, the oldest image is evicted, but references in the per-screen list are not updated, creating a potential for exploitation.

A reflected cross-site scripting vulnerability has been identified in the Product Filter Widget for Elementor plugin for WordPress, affecting all versions through 1.0.6. The issue arises from inadequate input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts could execute if a user is tricked into clicking a link. The vulnerability is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, exploiting an absence of nonce verification or capability checks. The 'args[filterFormArray]' parameter is the vector for this attack.

A stored cross-site scripting vulnerability has been identified in the jQuery Hover Footnotes plugin for WordPress, affecting all versions through 1.4. The issue arises from inadequate input sanitization and output escaping, allowing authenticated attackers with author-level access or higher to inject arbitrary web scripts. These scripts execute when a user accesses the affected page. The vulnerability exploits the Footnote Qualifier syntax, bypassing WordPress's wp_kses_post() filtering by using attribute-breakout payloads that omit angle brackets.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the jQuery Hover Footnotes plugin for WordPress, affecting all versions through 1.4. The vulnerability arises from inadequate nonce validation in the 'jqFootnotes_options_subpanel' function, allowing unauthenticated attackers to manipulate the plugin's settings with arbitrary values. These option values, including 'jqfoot_anchor_open', 'jqfoot_anchor_close', and 'jqfoot_title', are output unescaped into the frontend, creating a pathway for persistent Cross-Site Scripting (XSS) that impacts all site visitors. Exploitation of this CSRF vulnerability can lead to stored XSS, as the modified option values are saved without proper sanitization and displayed unescaped on the site.