CVE-2023-3996
published 2023-10-20CVE-2023-3996: The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.16…
PriorityP417medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.46%
36.3th percentile
The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| armemberplugin | armember | <= 4.0.14 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-364j-ch9m-hp4h: The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including,
ghsa_unreviewed·2023-10-20
CVE-2023-3996 [MEDIUM] CWE-79 GHSA-364j-ch9m-hp4h: The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including,
The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Palo Alto
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-09-04·CVSS 6.0
CVE-2022-22965 [MEDIUM] PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0008 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2010-1622, CVE-2015-7552, CVE-2018-16840, CVE-2019-7639, CVE-2020-17049, CVE-2020-7774, CVE-2021-0131, CVE-2021-0132, CVE-2021-0133, CVE-2021-0134, CVE-2021-4044, CVE-2021-4160, CVE-2021-41773, CVE-2022-1343, CVE-2022-21449, CVE-2022-2274, CVE-2022-22963, CVE-2022-22965, CVE-2022-24697, CVE-2022-32207, CVE-2022-3358, CVE-2022-3996, CVE-2022-40664, CVE-2022-44792, CVE-2022-44793, CVE-2023-1255, CVE-2023-22809, CVE-2023-23919, CVE-2023-3341, CVE-2023-4236, CVE-2023-4863, CVE-2023-51767
Affected products: PAN-OS
Red Hat
openssl: double locking leads to denial of service
vendor_redhat·2022-12-13·CVSS 7.5
CVE-2022-3996 [HIGH] CWE-609 openssl: double locking leads to denial of service
openssl: double locking leads to denial of service
If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively. On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs. Policy
processing being enabled on a publicly facing server is not considered
to be a common setup.
Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Update (31 March 2023): The description of the policy processing enablement
was corrected based on CVE-2023-0466.
A vulnerability was found in OpenSSL. This security flaw occurs if an X.509 certificate contains a malformed p
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.svn.wordpress.org/armember-membership/tags/4.0.2/readme.mdhttps://plugins.svn.wordpress.org/armember-membership/tags/4.0.2/readme.txthttps://plugins.trac.wordpress.org/changeset/2988063/armember-membership/trunk/core/classes/class.arm_global_settings.phphttps://plugins.trac.wordpress.org/changeset/2992936/armember-membership/trunk/core/classes/class.arm_global_settings.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2905086%40armember-membership%2Ftrunk&old=2885708%40armember-membership%2Ftrunk&sfp_email=&sfph_mail=https://www.armemberplugin.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c1022ac4-869e-415a-a7c8-3650421608ea?source=cvehttps://plugins.svn.wordpress.org/armember-membership/tags/4.0.2/readme.mdhttps://plugins.svn.wordpress.org/armember-membership/tags/4.0.2/readme.txthttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2905086%40armember-membership%2Ftrunk&old=2885708%40armember-membership%2Ftrunk&sfp_email=&sfph_mail=https://www.armemberplugin.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c1022ac4-869e-415a-a7c8-3650421608ea?source=cve
2023-10-20
Published