RSS   Vulnerabilities for 'Textpattern'   RSS

2022-06-29
 
CVE-2021-40642

CWE-565
 

 
Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.

 
2022-06-14
 
CVE-2021-40658

CWE-74
 

 
Textpattern 4.8.7 is affected by a HTML injection vulnerability through �??Content>Write>Body�?�.

 
2022-03-29
 
CVE-2021-44082

CWE-79
 

 
textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file upload request.

 
2021-08-19
 
CVE-2021-28001

CWE-79
 

 
A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting https://site.com/articles/welcome-to-your-site#comments-head.

 
 
CVE-2021-28002

CWE-79
 

 
A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the 'Articles' page.

 
2021-07-26
 
CVE-2020-23239

CWE-79
 

 
Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.

 
2021-04-15
 
CVE-2021-30209

CWE-434
 

 
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.

 
2021-01-26
 
CVE-2020-35854

CWE-79
 

 
Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter.

 
2020-12-02
 
CVE-2020-29458

CWE-352
 

 
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.

 
2020-08-14
 
CVE-2015-8033

CWE-521
 

 
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.

 


Copyright 2024, cxsecurity.com

 

Back to Top