CVE-2021-25013
published 2022-01-24CVE-2021-25013: The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the…
PriorityP432medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.43%
34.3th percentile
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnu | glibc | >= 0 < 2.27-3ubuntu1.5 | 2.27-3ubuntu1.5 |
| gnu | glibc | >= 0 < 2.31-0ubuntu9.7 | 2.31-0ubuntu9.7 |
| themeum | qubely | < 1.7.8 | 1.7.8 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
glibc vulnerabilities
osv·2022-03-01·CVSS 5.9
CVE-2016-10228 glibc vulnerabilities
glibc vulnerabilities
Jan Engelhardt, Tavis Ormandy, and others discovered that the GNU C Library
iconv feature incorrectly handled certain input sequences. An attacker
could possibly use this issue to cause the GNU C Library to hang or crash,
resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 20.04 LTS. (CVE-2016-10228, CVE-2019-25013, CVE-2020-27618,
CVE-2020-29562, CVE-2021-3326)
Jason Royes and Samuel Dytrych discovered that the GNU C Library
incorrectly handled signed comparisons on ARMv7 targets. A remote attacker
could use this issue to cause the GNU C Library to crash, resulting in a
denial of service, or possibly execute arbitrary code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-6096)
It was discovered that the
GHSA
GHSA-chxc-687f-jrfg: The Qubely WordPress plugin before 1
ghsa_unreviewed·2022-01-25
CVE-2021-25013 [MEDIUM] CWE-352 GHSA-chxc-687f-jrfg: The Qubely WordPress plugin before 1
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-01-24
Published