CVE-2023-1912
published 2023-04-06CVE-2023-1912: The Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lock logging feature in versions up to, and including, 1.7.1…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.79%
51.6th percentile
The Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lock logging feature in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the plugin's settings page. This only works when the plugin prioritizes use of the X-FORWARDED-FOR header, which can be configured in its settings.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | limit_login_attempts | <= 1.7.1 | — |
| limit_login_attempts_project | limit_login_attempts | <= 1.7.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wqcw-392x-3hhr: The Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lock logging feature in versions up to, and includi
ghsa_unreviewed·2023-04-06
CVE-2023-1912 [MEDIUM] CWE-79 GHSA-wqcw-392x-3hhr: The Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lock logging feature in versions up to, and includi
The Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lock logging feature in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the plugin's settings page. This only works when the plugin prioritizes use of the X-FORWARDED-FOR header, which can be configured in its settings.
Citrix
Citrix StoreFront Security Bulletin for CVE-2023-5914
vendor_citrix·2024-01-16·CVSS 6.1
CVE-2023-5914 [MEDIUM] CWE-79 Citrix StoreFront Security Bulletin for CVE-2023-5914
Citrix StoreFront Security Bulletin for CVE-2023-5914
Pre-requisites CWE CVE-2023-5914 Cross-site scripting (XSS) Requires victim to access an attacker-controlled link in the browser CWE-79 Instructions Cloud Software Group strongly urges affected customers of Citrix StoreFront to install the relevant updated versions of Citrix StoreFront as soon as possible: Current Release (CR) Citrix StoreFront 2308.1 and later Citrix StoreFront 2311and later Long Term Service Release (LTSR) Citrix StoreFront 1912 LTSR CU8 hotfix 3.22.8001.2* and later Citrix StoreFront 2203 LTSR CU4 Update 1 and later Please use the following link for downloading the builds: https://www.citrix.com/downloads/ *Citrix StoreFront 1912 LTSR CU8 hotfix 3.22.8001.2 is available to download at the following link: https://sup
Citrix
Citrix Session Recording Security Bulletin for CVE-2023-6184
vendor_citrix·2024-01-16·CVSS 7.2
CVE-2023-6184 [HIGH] CWE-913 Citrix Session Recording Security Bulletin for CVE-2023-6184
Citrix Session Recording Security Bulletin for CVE-2023-6184
Pre-requisites CWE CVE-2023-6184 An authenticated user can perform RCE Attacker must possess admin privileges to the Session Recording server CWE-913 Instructions Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits: Current Release (CR) Citrix Virtual Apps and Desktops 2311 and later Long Term Service Release (LTSR) Citrix Virtual Apps and Desktops 1912 LTSR CU8 hotfix 19.12.8100.4* and later Citrix Virtual Apps and Desktops 2203 LTSR CU4 and later Please use the following link for downloading the builds: https://www.citrix.com/downloads/ * Citrix Virtual Apps and Desktops 1912 LTSR CU8 hotfi
Citrix
Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490
vendor_citrix·2023-06-14·CVSS 4.3
CVE-2023-24490 [MEDIUM] CWE-284 Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490
Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490
Pre-requisites CWE CVE-2023-24490 Users with only access to launch VDA applications can launch an unauthorized desktop Authorized user with the ability to launch a virtual application CWE-284 Instructions Citrix strongly recommends that customers upgrade their Windows and Linux Virtual Delivery Agents to versions that contain the fixes as soon as possible. Windows Virtual Delivery Agent versions that contain the fixes are: Citrix Virtual Apps and Desktops 2305 and later versions Citrix Virtual Apps and Desktops 2203 LTSR CU3 and later cumulative updates Citrix Virtual Apps and Desktops 1912 LTSR CU7 and later cumulative updates Linux Virtual Delivery Agent versions that contain the fixes are
Citrix
Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483
vendor_citrix·CVSS 7.8
CVE-2023-24483 [HIGH] CWE-269 Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483
Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483
Vulnerability Type Pre-conditions CVE-2023-24483 Privilege Escalation to NT AUTHORITY\SYSTEM on the vulnerable VDA CWE-269: Improper Privilege Management Local access to a Windows VDA as a standard Windows user The vulnerability affects the following supported versions of Citrix Virtual Apps and Desktops: Current Release (CR) Citrix Virtual Apps and Desktops versions before 2212 Long Term Service Release (LTSR) Citrix Virtual Apps and Desktops 2203 LTSR before CU2 Citrix Virtual Apps and Desktops 1912 LTSR before CU6 In addition, customers using Citrix Virtual Apps and Desktops Service using any of the vulnerable versions of Citrix Virtual Apps and Desktops Windows VDA are affected and need to take action. Instructions
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=551920%40limit-login-attempts%2Ftags%2F1.7.1&new=2893850%40limit-login-attempts%2Ftags%2F1.7.2https://www.pluginvulnerabilities.com/2018/03/09/one-of-the-ten-most-popular-wordpress-plugins-isnt-needed-and-introduces-a-vulnerability-on-some-websites-using-it/https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impacting-600000-sites-patched-in-limit-login-attempts/https://www.wordfence.com/threat-intel/vulnerabilities/id/cb8c80fc-3b51-4003-b221-6f02e74bead0?source=cvehttp://packetstormsecurity.com/files/171824/WordPress-Limit-Login-Attempts-1.7.1-Cross-Site-Scripting.htmlhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=551920%40limit-login-attempts%2Ftags%2F1.7.1&new=2893850%40limit-login-attempts%2Ftags%2F1.7.2https://www.pluginvulnerabilities.com/2018/03/09/one-of-the-ten-most-popular-wordpress-plugins-isnt-needed-and-introduces-a-vulnerability-on-some-websites-using-it/https://www.wordfence.com/threat-intel/vulnerabilities/id/cb8c80fc-3b51-4003-b221-6f02e74bead0?source=cve
2023-04-06
Published