CVE-2022-4310
published 2023-01-09CVE-2022-4310: The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to…
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.64%
46.1th percentile
The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp-slimstat | slimstat_analytics | < 4.9.3 | 4.9.3 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r87w-g396-c68p: The Slimstat Analytics WordPress plugin before 4
ghsa_unreviewed·2023-01-10
CVE-2022-4310 [MEDIUM] CWE-79 GHSA-r87w-g396-c68p: The Slimstat Analytics WordPress plugin before 4
The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs
Red Hat
ManageEngine: remote code execution vulnerability in multiple ManageEngine products
vendor_redhat·2023-01-19·CVSS 9.8
CVE-2022-47966 [CRITICAL] CWE-303 ManageEngine: remote code execution vulnerability in multiple ManageEngine products
ManageEngine: remote code execution vulnerability in multiple ManageEngine products
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-01-09
Published