CVE-2024-1037
published 2024-02-07CVE-2024-1037: The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all…
PriorityP422medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.56%
42.1th percentile
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidanderson | all-in-one_security_security_and_firewall | <= 5.2.5 | — |
| msrc | windows_11_version_22h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_23h2_for_arm64-based_systems | — | — |
| updraftplus | all-in-one_security | < 5.2.6 | 5.2.6 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mfxx-xjx2-rcm9: The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in
ghsa_unreviewed·2024-02-07
CVE-2024-1037 [MEDIUM] CWE-79 GHSA-mfxx-xjx2-rcm9: The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Microsoft
Windows Kernel Information Disclosure Vulnerability
vendor_msrc·2024-07-09·CVSS 5.9
CVE-2024-37985 [MEDIUM] CWE-1037 Windows Kernel Information Disclosure Vulnerability
Windows Kernel Information Disclosure Vulnerability
FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
FAQ: Why does this CVE indicate that the vulnerability has been publicly disclosed?
This underlying vulnerability is due to an issue in the microarchitecture of certain ARM-based cores. Microsoft issued this CVE to document the Windows updates that address this underlying problem. This update mitigates against this vulnerability.
For more information on this public disclosure, please see: Prefetcher Side Channels: Armv8 Security Bulletin.
FAQ: What type of information coul
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-404.php#L32https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-404.php#L50https://plugins.trac.wordpress.org/changeset/3032127/all-in-one-wp-security-and-firewall/tags/5.2.6/admin/wp-security-list-404.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba?source=cvehttps://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-404.php#L32https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-404.php#L50https://plugins.trac.wordpress.org/changeset/3032127/all-in-one-wp-security-and-firewall/tags/5.2.6/admin/wp-security-list-404.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/b50772e5-5142-4f50-b5c0-6116a8821cba?source=cve
2024-02-07
Published