| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The slick-popup plugin before 1.7.2 for WordPress has a hardcoded OmakPass13# password for the slickpopupteam account, after a Subscriber calls a certain AJAX action. |
| The breadcrumbs-by-menu plugin before 1.0.3 for WordPress has XSS. |
| JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XSS), potentially making it possible to send an arbitrary HTTP request to a TeamCity server under the name of the currently logged-in user. |
| The easy-pdf-restaurant-menu-upload plugin before 1.1.2 for WordPress has XSS. |
| The custom-404-pro plugin before 3.2.8 for WordPress has reflected XSS, a different vulnerability than CVE-2019-14789. |
| The webp-express plugin before 0.14.8 for WordPress has stored XSS. |
| The wp-ultimate-recipe plugin before 3.12.7 for WordPress has stored XSS. |
| The simple-mail-address-encoder plugin before 1.7 for WordPress has reflected XSS. |
| The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS. |
| The photoblocks-grid-gallery plugin before 1.1.33 for WordPress has wp-admin/admin.php?page=photoblocks-edit&id= XSS. |
| The onesignal-free-web-push-notifications plugin before 1.17.8 for WordPress has XSS via the subdomain parameter. |
| The easy-property-listings plugin before 3.4 for WordPress has XSS. |
| The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions. |
| Multiple stored XSS vulnerabilities in Sentrifugo 3.2 could allow authenticated users to inject arbitrary web script or HTML. |
| In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS. |
| Insufficient sanitization during device search in Netdisco 2.042010 allows for reflected XSS via manipulation of a URL parameter. |
| An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware. |
| An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware image contains encrypted passwords that are used to authenticate users wishing to access a diagnostics or password-recovery menu. Using the hardcoded cryptographic key found elsewhere in the firmware, these passwords can be decrypted. This is related to fds_sys_passDebugPasswd_ret() and fds_sys_passRecoveryPasswd_ret() in libfds.so.0.0. |
| WebTorrent before 0.107.6 allows XSS in the HTTP server via a title or file name. |
| The woo-variation-gallery plugin before 1.1.29 for WordPress has XSS. |
