Vulnerabilities with Nuclei Scanner Templates

The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issues.

The pagination plugin before 1.0.7 for WordPress has multiple XSS issues.

The bws-smtp plugin before 1.1.0 for WordPress has multiple XSS issues.

The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS issues.

The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.

The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues.

The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues.

The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues.

The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues.

The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues.

The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues.

The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues.

The twitter-plugin plugin before 2.55 for WordPress has XSS.

The subscriber plugin before 1.3.5 for WordPress has multiple XSS issues.

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues.

The social-buttons-pack plugin before 1.1.1 for WordPress has multiple XSS issues.

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that sets up the default credentials on the device. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function sub_436D6 in IDA pro is identified to be setting up the configuration for the device. If one scrolls to the address 0x000437C2 then one can see that /current_config is being set as an ALIAS for /mnt/mtd/Config folder on the device. If one TELNETs into the device and navigates to /mnt/mtd/Config folder, one can observe that it contains various files such as Account1, Account2, SHAACcount1, etc. This means that if one navigates to http://[IPofcamera]/current_config/Sha1Account1 then one should be able to view the content of the files. The security researchers assumed that this was only possible only after authentication to the device. However, when unauthenticated access tests were performed for the same URL as provided above, it was observed that the device file could be downloaded without any authentication.

Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: Open redirection. The impact is: obtain sensitive information (remote).

ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.