Live-Hack-CVE/CVE-2022-4478 The Font Awesome WordPress plugin before 4.3.2 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. CVE project by @Sn0wAlice Create: 2023-01-17 01:57:55 +0000 UTC Push: 2023-01-17 01:57:59 +0000 UTC |

Live-Hack-CVE/CVE-2022-4477 The Smash Balloon Social Post Feed WordPress plugin before 4.1.6 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. CVE project by @Sn0wAlice Create: 2023-01-17 01:57:51 +0000 UTC Push: 2023-01-17 01:57:54 +0000 UTC |

Live-Hack-CVE/CVE-2022-4476 The Download Manager WordPress plugin before 3.2.62 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins. CVE project by @Sn0wAlice Create: 2023-01-17 01:57:46 +0000 UTC Push: 2023-01-17 01:57:49 +0000 UTC |

Live-Hack-CVE/CVE-2022-4469 The Simple Membership WordPress plugin before 4.2.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as adm CVE project by @Sn0wAlice Create: 2023-01-17 01:57:42 +0000 UTC Push: 2023-01-17 01:57:45 +0000 UTC |

Live-Hack-CVE/CVE-2022-4464 Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such CVE project by @Sn0wAlice Create: 2023-01-17 01:57:37 +0000 UTC Push: 2023-01-17 01:57:40 +0000 UTC |

Live-Hack-CVE/CVE-2022-4453 The 3D FlipBook WordPress plugin through 1.13.2 does not validate or escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks against high privilege users like administrators. CVE project by @Sn0wAlice Create: 2023-01-17 01:57:32 +0000 UTC Push: 2023-01-17 01:57:36 +0000 UTC |

Live-Hack-CVE/CVE-2022-3904 The MonsterInsights WordPress plugin before 8.9.1 does not sanitize or escape page titles in the top posts/pages section, allowing an unauthenticated attacker to inject arbitrary web scripts into the titles by spoofing requests to google analytics. CVE project by @Sn0wAlice Create: 2023-01-17 01:57:28 +0000 UTC Push: 2023-01-17 01:57:31 +0000 UTC |

Live-Hack-CVE/CVE-2022-45438 When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. CVE project by @Sn0wAlice Create: 2023-01-16 21:33:49 +0000 UTC Push: 2023-01-16 21:33:52 +0000 UTC |

Live-Hack-CVE/CVE-2022-43721 An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. CVE project by @Sn0wAlice Create: 2023-01-16 21:33:45 +0000 UTC Push: 2023-01-16 21:33:48 +0000 UTC |

Live-Hack-CVE/CVE-2022-43720 An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. CVE project by @Sn0wAlice Create: 2023-01-16 21:33:40 +0000 UTC Push: 2023-01-16 21:33:43 +0000 UTC |

Live-Hack-CVE/CVE-2022-43719 Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. CVE project by @Sn0wAlice Create: 2023-01-16 21:33:37 +0000 UTC Push: 2023-01-16 21:33:39 +0000 UTC |

Live-Hack-CVE/CVE-2022-43718 Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. CVE project by @Sn0wAlice Create: 2023-01-16 21:33:32 +0000 UTC Push: 2023-01-16 21:33:34 +0000 UTC |

Live-Hack-CVE/CVE-2022-43717 Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0. CVE project by @Sn0wAlice Create: 2023-01-16 21:33:29 +0000 UTC Push: 2023-01-16 21:33:31 +0000 UTC |

Live-Hack-CVE/CVE-2022-41703 A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUB CVE project by @Sn0wAlice Create: 2023-01-16 21:33:24 +0000 UTC Push: 2023-01-16 21:33:27 +0000 UTC |

Live-Hack-CVE/CVE-2016-15020 A vulnerability was found in liftkit database up to 2.13.1. It has been classified as critical. This affects the function processOrderBy of the file src/Query/Query.php. The manipulation leads to sql injection. Upgrading to version 2.13.2 is able to address this issue. The name of the patch is 42ec8f2b22e0b0b98fb5b4444 CVE project by @Sn0wAlice Create: 2023-01-16 21:33:19 +0000 UTC Push: 2023-01-16 21:33:23 +0000 UTC |

Live-Hack-CVE/CVE-2013-10012 A vulnerability, which was classified as critical, was found in antonbolling clan7ups. Affected is an unknown function of the component Login/Session. The manipulation leads to sql injection. The name of the patch is 25afad571c488291033958d845830ba0a1710764. It is recommended to apply a patch to fix this issue. The ide CVE project by @Sn0wAlice Create: 2023-01-16 21:33:15 +0000 UTC Push: 2023-01-16 21:33:16 +0000 UTC |

Live-Hack-CVE/CVE-2010-10005 A vulnerability was found in msmania poodim. It has been declared as critical. This vulnerability affects unknown code of the component Command Line Argument Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The name of the patch is 6340d5d2c81e55e61522c4b40a6cdd5c397 CVE project by @Sn0wAlice Create: 2023-01-16 21:33:11 +0000 UTC Push: 2023-01-16 21:33:14 +0000 UTC |

Live-Hack-CVE/CVE-2021-4313 A vulnerability was found in NethServer phonenehome. It has been rated as critical. This issue affects the function get_info/get_country_coor of the file server/index.php. The manipulation leads to sql injection. The name of the patch is 759c30b0ddd7d493836bbdf695cf71624b377391. It is recommended to apply a patch to fi CVE project by @Sn0wAlice Create: 2023-01-16 21:33:07 +0000 UTC Push: 2023-01-16 21:33:10 +0000 UTC |

Live-Hack-CVE/CVE-2018-25076 A vulnerability classified as critical was found in Events Extension. Affected by this vulnerability is the function getRandomFeaturedEventByDate/getUpcomingFeaturedEventsInCategoriesWithSubcategories/recacheEvent/searchResults of the file classes/events.php. The manipulation leads to sql injection. The name of the pat CVE project by @Sn0wAlice Create: 2023-01-16 21:33:02 +0000 UTC Push: 2023-01-16 21:33:06 +0000 UTC |

Live-Hack-CVE/CVE-2015-10053 A vulnerability classified as critical has been found in prodigasistemas curupira up to 0.1.3. Affected is an unknown function of the file app/controllers/curupira/passwords_controller.rb. The manipulation leads to sql injection. Upgrading to version 0.1.4 is able to address this issue. The name of the patch is 93a9a77 CVE project by @Sn0wAlice Create: 2023-01-16 21:32:58 +0000 UTC Push: 2023-01-16 21:33:01 +0000 UTC |