札幌市内で情報システム関連の企画提案・開発・構築・運用および顧問業務を行っております

CMSの脆弱性情報

  • HOME »
  • CMSの脆弱性情報

2021年1月18日〜2月15日迄の間に1件1つの脆弱性が公表されています。

  1. JVN#50470170
    2021/02/05
    WordPress
    クロスサイトリクエストフォージェリの脆弱性
    http://jvn.jp/jp/JVN50470170/
    Name Directoryプラグイン

ちなみにWordPressに関してJVNに上がっていない情報も仕入れたので貼っておきます。こちらは2021年1月分になります。

WordPress Plugin Vulnerabilities

  • Modern Events Calendar Lite < 5.16.6 – Authenticated SQL Injection
  • Modern Events Calendar Lite < 5.16.5 – Authenticated Arbitrary File Upload leading to RCE
  • Modern Events Calendar Lite < 5.16.5 – Unauthenticated Events Export
  • Modern Events Calendar Lite < 5.16.5 – Authenticated Stored Cross-Site Scripting (XSS)
  • Super Forms <= 4.9.602 – Unauthenticated PHP4 File Upload to RCE
  • uListing < 1.7 – Unauthenticated Arbitrary Post/Page Deletion
  • uListing < 1.7 – Unauthenticated SQL Injections
  • uListing < 1.7 – Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
  • uListing < 1.7 – Unauthenticated Information Disclosure
  • uListing < 1.7 – Unauthenticated WordPress Options Change
  • uListing < 1.7 – Unauthenticated Arbitrary Account Change
  • uListing < 1.7 – Unauthenticated Arbitrary Account Creation
  • Contact Form 7 Database Addon < 1.2.5.6 – CSV Injection
  • Doneren met Mollie < 2.8.5 – Unauthorised CSV Export leading to Sensitive Data Disclosure
  • Contact Form 7 Database Addon < 1.2.5.4 – Authenticated SQL Injections
  • Digital Climate Strike WP <= 1.0.0 – Redirect to Malicious Website due to Compromised JS Asset
  • Under Construction < 3.86 – Authenticated Stored Cross-Site Scripting (XSS)
  • Stockdio Historical Chart < 2.8.1 – Reflected Cross-Site Scripting (XSS)
  • 123ContactForm for WordPress <= 1.5.6 – Unauthenticated Arbitrary File Upload
  • 123ContactForm for WordPress <= 1.5.6 – Unauthenticated Arbitrary Post Creation
  • 123ContactForm for WordPress <= 1.5.6 – Validation Bypass via Plugin Verification
  • e-signature < 1.5.6.8 – Unauthenticated Arbitrary File Upload leading to RCE
  • WP Shieldon 1.6.3 – Unauthenticated Cross-Site Scripting (XSS)
  • 301 Redirects – Easy Redirect Manager < 2.51 – Authenticated SQL Injection
  • Simple Job Board < 2.9.4 – Authenticated Path Traversal Leading to Arbitrary File Download
  • FV Flowplayer Video Player < 7.4.38.727 – Authenticated Stored Cross-Site Scripting (XSS)
  • Easy Contact Form Pro < 1.1.1.9 – Authenticated Stored Cross-Site Scripting (XSS)
  • Elementor Contact Form DB < 1.6 – Unauthenticated & Unauthorised Form Submissions Export
  • Elementor Contact Form DB < 1.6 – Plugin Settings Cross-Site Request Forgery
  • Orbit Fox by ThemeIsle < 2.10.3 – Authenticated Privilege Escalation
  • Orbit Fox by ThemeIsle < 2.10.3 – Authenticated Stored Cross Site Scripting
  • WP Quick FrontEnd Editor <= 5.5 – Authenticated Settings Change leading to Stored XSS
  • WP Quick FrontEnd Editor <= 5.5 – Authenticated Content Injection
  • Custom Global Variables <= 1.0.5 – Stored Cross-Site Scripting (XSS)
  • Modal Survey < 2.0.1.8.2 – Authenticated PHP Object Injection
  • Modal Survey < 2.0.1.8.2 – Unauthenticated Arbitrary Survey Update, Deletion and Creation
  • Modal Survey < 2.0.1.8.2 – Authenticated Reflected Cross-Site Scripting (XSS)
  • WP24 Domain Check < 1.6.3 – Authenticated Stored Cross-Site Scripting (XSS)
  • Advanced Custom Fields < 5.8.12 – Cross-Site Scripting in Select2 dropdowns
  • Elementor < 3.0.14 – SVG Upload Allowed by Default
  • Stripe Payments < 2.0.40 – Authenticated Stored Cross-Site Scripting (XSS)
  • WP Paginate < 2.1.4 – Authenticated Stored Cross-Site Scripting (XSS)
  • Contact Form Submissions <= 1.6.4 – Authenticated SQL Injection
  • Contact Form Submissions <= 1.6.4 – Authenticated Double Query SQL injection

結構ありますね。日々、アップデートが来ていないかの確認は必要かと思います。

前回の情報はこちら

お気軽にお問い合わせください

PAGETOP
Powered by WordPress & BizVektor Theme by Vektor,Inc. technology.