Handsome Testimonials & Reviews Project Security Vulnerabilities

Malicious code in fing-react-components (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (4e606602dc2c4b6d0550d90156a68cf31799054412bac90062d266e5bcad3d76) The OpenSSF Package Analysis project identified 'fing-react-components' @ 1.15.0 (npm) as malicious. It is considered malicious because: The...

Malicious code in @wdp-gov/catalog-serialization-engine (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (279671687dd3fcc407084cb5aeaab3c707cf47164e8b81c3f1665b61ce19dfd9) The OpenSSF Package Analysis project identified '@wdp-gov/catalog-serialization-engine' @ 3.0.195 (npm) as malicious. It is considered malicious...

CVE-2024-6323

Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. Notes Author| Note ---|--- alexmurray | Only affectes GitLab...

CVE-2024-4901

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit...

BIT-gitlab-2024-2191

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members...

Malicious code in cptalertbox (npm)

-= Per source details. Do not edit below this line.=- Source: checkmarx (88c1f10ff1d7a9b89a479bd30b9548a7adc533c677f7913c88563b08e9d28814) Malicious packages campaign since 2021 targeting developers, steals source code and secrets Source: ossf-package-analysis...

Malicious code in nt4padyp3 (PyPI)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6999b5e1cf4a39c5ee73a61b953c0592465267806362b2485d61f8372242370d) The OpenSSF Package Analysis project identified 'nt4padyp3' @ 0.0.2 (pypi) as malicious. It is considered malicious because: The package executes...

CVE-2023-28838

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server....

Atlassian Jira 8.2.x < 8.6.0 Improper Authorization on Project Titles Information Disclosure Vulnerability (JRASERVER_70569)

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is version 8.2.x prior to 8.6.0. It is, therefore, affected by an information disclosure vulnerability due to improper authorization checks. An authenticated, remote attacker can exploit...

CVE-2024-32822

Missing Authorization vulnerability in impleCode Reviews Plus.This issue affects Reviews Plus: from n/a through...

CVE-2023-45805

pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project...

CVE-2024-1693 SP Project & Document Manager <= 4.70 - Authenticated (Subscriber+) Arbitrary Folder Name Update

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2024-1693 SP Project & Document Manager <= 4.70 - Authenticated (Subscriber+) Arbitrary Folder Name Update

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level...

CVE-2022-43591

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this...

Malicious code in blue-oval-theme (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (c708f4696b33e43ba9ca5b70bafa9ac82b1ee694df0caa84f7283885ff8d5544) The OpenSSF Package Analysis project identified 'blue-oval-theme' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...

CVE-2024-1849

The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious...

Quiz And Survey Master < 9.0.2 - Contributor+ SQLi

Description The plugin is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role PoC 1) You will need a valid nonce for deletion of quiz questions. 2) Sign in....

CVE-2024-33923 WordPress SP Project & Document Manager plugin <= 4.69 - Broken Access Control vulnerability

Missing Authorization vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through...

Malicious code in donuts.node-build (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6b8d6fee5827de9688cc9b83812dc32e54e33531a0bd2fd179dc3e2935564dc7) The OpenSSF Package Analysis project identified 'donuts.node-build' @ 99.99.104 (npm) as malicious. It is considered malicious because: - The...

Malicious code in webquickauth (PyPI)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e838cec17c1006b567e2a70f9554fd2a040c9fb0cfdf8d753e81548c1ea02c49) The OpenSSF Package Analysis project identified 'webquickauth' @ 2.3.5 (pypi) as malicious. It is considered malicious because: The package...

CVE-2022-40983

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to....

CVE-2024-5218

The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Animated AL List <= 1.0.6 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2022-31061

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability......

Malicious code in draconianspeed (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b1212e40bb57fce7672f50431153645b13624cc1e2061b44c0b91fec275e7853) The OpenSSF Package Analysis project identified 'draconianspeed' @ 5.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in twentynineteen (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (41e718fa7d54fba600dedc033d1d1c93b282fdae82403869bf77c53363acf842) The OpenSSF Package Analysis project identified 'twentynineteen' @ 2.5.1 (npm) as malicious. It is considered malicious because: The package...

Malicious code in itfd (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b402206ef266d63280b9361618b5ece377520d29080572d05c4a7dd0010f1e54) The OpenSSF Package Analysis project identified 'itfd' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates...

Malicious code in @yu-life/yulife-bdd-framework (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (8dfe091de922cc251578223955b74b56ade98fa67b719bcaa584d3403602f992) The OpenSSF Package Analysis project identified '@yu-life/yulife-bdd-framework' @ 0.0.72 (npm) as malicious. It is considered malicious because: ...

[SECURITY] Fedora 40 Update: libopenmpt-0.7.8-1.fc40

libopenmpt is a cross-platform C++ and C library to decode tracked music files (modules) into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project (Open ModPlug Tracker). In order to avoid code base fragmentation, libopenmpt is developed in the same source code...

[SECURITY] Fedora 39 Update: libopenmpt-0.7.8-1.fc39

libopenmpt is a cross-platform C++ and C library to decode tracked music files (modules) into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project (Open ModPlug Tracker). In order to avoid code base fragmentation, libopenmpt is developed in the same source code...

SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR

Description The plugin lacks proper access controllers and allows a logged in user to view and download files belonging to another...

Malicious code in pd-ui-kit (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b46ebcb2f76102916a1ab764b5af360b8c6cdd1dc56a269538132bcc4e307983) The OpenSSF Package Analysis project identified 'pd-ui-kit' @ 1.5.1 (npm) as malicious. It is considered malicious because: The package...

Malicious code in quickwebbasicauth (PyPI)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e8ebea7be43f522c7fd45c4793bcac3b33c5ffafa2dc9ea3e0f28657bc650819) The OpenSSF Package Analysis project identified 'quickwebbasicauth' @ 2.3.2 (pypi) as malicious. It is considered malicious because: The package...

Malicious code in @wdpx/themes (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (027f3f6ecca8b2d2bd6a4d8c6b358eb1ea8ea1f094cfe3d2606095b6b17d822f) The OpenSSF Package Analysis project identified '@wdpx/themes' @ 3.0.2 (npm) as malicious. It is considered malicious because: The package...

Malicious code in melichat-component-library (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (1d7d152708054848a62109924487b7dcacac50e054b19a8682b3b0b26b279e6b) The OpenSSF Package Analysis project identified 'melichat-component-library' @ 1.1.0 (npm) as malicious. It is considered malicious because: The...

Malicious code in iobeya-time-utils (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (5cc94a15fd9feb4f7fd5146415061bfe386fd2d185f1e0d80fc3ecd40ce7adb2) The OpenSSF Package Analysis project identified 'iobeya-time-utils' @ 3.0.0 (npm) as malicious. It is considered malicious because: The package...

Malicious code in comet-chat-react-ui-kit (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (9a6f38c4d9dd2413e237c8d146d5fcf11d04f613910b552a32a52b3e4cf199f6) The OpenSSF Package Analysis project identified 'comet-chat-react-ui-kit' @ 1.0.1 (npm) as malicious. It is considered malicious because: The...

CVE-2023-36808

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native.....

CVE-2024-4858

The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to...

CVE-2022-31068

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated......

CVE-2023-22724

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS...

Malicious code in storefront-h5-sdk (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (3bdecd59d5667e506fd4f66d29c575454020e37384211ce8a27e463cd6971298) The OpenSSF Package Analysis project identified 'storefront-h5-sdk' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...

CVE-2024-36106

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This....

Simple AL Slider <= 1.2.10 - Reflected XSS

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

Malicious code in parallel-workers (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (abf4ac32d4bbbf2bca51efed2166f670c707230f7da2b87c1318cbe8ca9dade1) The OpenSSF Package Analysis project identified 'parallel-workers' @ 99.99.101 (npm) as malicious. It is considered malicious because: - The...

Malicious code in odyssey-lint-staged (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (0b408f794010d1926bb9841d26fd28c91c97d8f11d71acea664c92ccb5a06a54) The OpenSSF Package Analysis project identified 'odyssey-lint-staged' @ 9.9.5 (npm) as malicious. It is considered malicious because: The package...

Malicious code in mesbah-unclaim (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (263dd8e3a7c219627fe6ca196c18bb5262996c68f086fd118d74caec6e06aee1) The OpenSSF Package Analysis project identified 'mesbah-unclaim' @ 2.0.0 (npm) as malicious. It is considered malicious because: - The package...

Malicious code in tempomati-omega-69-emcuf7 (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (a012c605870034511688f664880e997bc8423cd7707f3de28326adc144f4fb4a) The OpenSSF Package Analysis project identified 'tempomati-omega-69-emcuf7' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The...

BIT-argo-cd-2024-36106

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This....

Malicious code in tempomati-omega-5-emcuf311 (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (865979d6590ceed06ce4e4e3bcc1ad05be4caec6967f82f7654fa9e709ca97fc) The OpenSSF Package Analysis project identified 'tempomati-omega-5-emcuf311' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The.....