Charitable Donations & Fundraising Team Security Vulnerabilities

CVE-2021-31678

An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's...

CVE-2021-31679

An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that allows attackers to delete admin and other members' account...

CVE-2021-31677

An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can modify admin and other members'...

CVE-2021-31676

A reflected XSS was discovered in PESCMS-V2.3.3. When combined with CSRF in the same file, they can cause bigger...

GiveWP – Donation Plugin and Fundraising Platform < 3.12.1 - Reflected Cross-Site Scripting

Description The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.12.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

Mattermost allows team admins to promote guests to team admins

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP...

Recurring PayPal Donations < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Recurring PayPal Donations plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

litellm vulnerable to improper access control in team management

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and unblocking any teams, as well as adding or deleting any...

litellm vulnerable to improper access control in team management

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and unblocking any teams, as well as adding or deleting any...

Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server

Mattermost allows team admins to promote guests to team admins in...

Swim Team <= v1.44.10777 - Local File Inclusion

The program /wp-swimteam/include/user/download.php allows unauthenticated attackers to retrieve arbitrary files from the...

WP Fundraising Donation and Crowdfunding Platform < 1.7.0 - Missing Authorization

Description The WP Fundraising Donation and Crowdfunding Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions surrounding donation modification in versions up to, and including, 1.6.4. This makes it possible for...

Exploit for Path Traversal in Grafana

grafanaExp 利用grafana...

Exploit for Authentication Bypass Using an Alternate Path or Channel in Jetbrains Teamcity

TeamCity CVE-2023-42793 Exploit This Python script exploits...

Exploit for CVE-2024-26229

CVE-2024-26229 Windows CSC服务特权提升漏洞。 ...

GiveWP – Donation Plugin and Fundraising Platform < 3.5.0 - Authenticated (GiveWP Manager+) PHP Object Injection

Description The GiveWP plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with give manager-level access and above, to inject a PHP Object. No known POP...

CVE-2020-24855

Directory Traversal vulnerability in easywebpack-cli before 4.5.2 allows attackers to obtain sensitive information via crafted GET...

team-cognito.com Cross Site Scripting vulnerability OBB-3902083

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

team-ulm.de Cross Site Scripting vulnerability OBB-3880404

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2023-52574 team: fix null-ptr-deref when team device type is changed

In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140...

team-match.com Cross Site Scripting vulnerability OBB-3878870

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2023-52574 team: fix null-ptr-deref when team device type is changed

In the Linux kernel, the following vulnerability has been resolved: team: fix null-ptr-deref when team device type is changed Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140...

WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection

WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/or....

STHS v2 Web Portal 'team' parameter Multiple SQLi Vulnerabilities

STHS v2 Web Portal is prone to multiple SQL injection (SQLi) vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL...

CVE-2024-35676 WordPress Recurring PayPal Donations plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through...

Microsoft Visual Studio Team Foundation Server Privilege Elevation Vulnerability (2719584)

This host is missing an important security update according to Microsoft Bulletin...

CVE-2024-3714 GiveWP – Donation Plugin and Fundraising Platform <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on...

Mattermost allows team admins to promote guests to team admins

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP...

CVE-2024-35676 WordPress Recurring PayPal Donations plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through...

CVE-2024-25099 WordPress Paytium: Mollie payment forms & donations Plugin <= 4.4.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: from n/a through...

CVE-2024-25099 WordPress Paytium: Mollie payment forms & donations Plugin <= 4.4.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: from n/a through...

CVE-2024-3714 GiveWP – Donation Plugin and Fundraising Platform <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on...

CVE-2024-5710 Improper Access Control in Team Management in berriai/litellm

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and unblocking any teams, as well as adding or deleting any...

CVE-2023-51415 WordPress GiveWP Plugin <= 3.2.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform allows Stored XSS.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2024-5710 Improper Access Control in Team Management in berriai/litellm

berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers to perform unauthorized actions such as creating, updating, viewing, deleting, blocking, and unblocking any teams, as well as adding or deleting any...

Cross Site Scripting (XSS)

@wangeditor/editor is vulnerable to Cross-site scripting (XSS). The vulnerability is due to missing input sanitization within the image upload function, which allows an attacker to execute arbitrary JavaScript in the...

CVE-2024-34758

Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through...

CVE-2023-51415

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform allows Stored XSS.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2023-51415 WordPress GiveWP Plugin <= 3.2.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform allows Stored XSS.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

Exclusive Addons for Elementor < 2.6.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member widget in all versions up to, and including, 2.6.9.6 due to insufficient input sanitization and output escaping on user supplied 'url' attribute. This makes it...

Essential Addons for Elementor PRO – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Carousel Widget

Description The Essential Addons for Elementor PRO – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team Member Carousel widget in all Pro versions up to, and including, 5.8.14 due to insufficient...

CVE-2024-34758

Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through...

IBM Jazz Team Server Detection

IBM Jazz Team Server, a base component for several IBM Jazz Foundation products, is installed on the remote...

CVE-2024-34758 WordPress FundEngine – Donation and Crowdfunding Platform plugin <= 1.6.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through...

wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function

There is a cross-site scripting (XSS) issue in wangEditor via the image upload function in version 4.7.11. This issue has been fixed in version...

CVE-2024-34758 WordPress FundEngine – Donation and Crowdfunding Platform plugin <= 1.6.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through...

CVE-2023-47858

Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted...

Mattermost viewing archived public channels permissions vulnerability

Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted...

CVE-2024-25099

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: from n/a through...

CVE-2021-3670

MaxQueryDuration not honoured in Samba AD DC...