Security Vulnerabilities, CVEs, Published In August 2019

The tubepress plugin before 1.6.5 for WordPress has XSS.

The google-analyticator plugin before 5.2.1 for WordPress has insufficient HTML sanitization for Google Analytics API text.

The user-access-manager plugin before 1.2 for WordPress has CSRF.

The redirection plugin before 2.2.9 for WordPress has XSS in the admin menu, a different issue than CVE-2011-4562.

The job-manager plugin before 0.7.19 for WordPress has multiple XSS issues.

The count-per-day plugin before 3.2.3 for WordPress has XSS via search words.

The formbuilder plugin before 0.9.1 for WordPress has XSS via a Referer header.

The events-manager plugin before 5.1.7 for WordPress has XSS via JSON call links.

The redirection plugin before 2.2.12 for WordPress has XSS, a different issue than CVE-2011-4562.

The sharebar plugin before 1.2.2 for WordPress has XSS, a different issue than CVE-2013-3491.

The sharebar plugin before 1.2.2 for WordPress has SQL injection.

Windu CMS 2.2 allows CSRF via admin/users/?mn=admin.message.error to add an admin account.

Windu CMS 2.2 allows XSS via the name parameter to admin/content/edit or admin/content/add, or the username parameter to admin/users.

The contact-form-plugin plugin before 3.52 for WordPress has XSS.

The simple-fields plugin before 1.2 for WordPress has CSRF in the admin interface.

The events-manager plugin before 5.5.2 for WordPress has XSS in the booking form.

The events-manager plugin before 5.5 for WordPress has XSS via EM_Ticket::get_post.

The events-manager plugin before 5.3.9 for WordPress has XSS in the search form field.

The events-manager plugin before 5.3.6.1 for WordPress has XSS via the booking form and admin areas.

The contact-form-plugin plugin before 3.3.5 for WordPress has XSS.

The reflex-gallery plugin before 1.4.3 for WordPress has XSS.

The slidedeck2 plugin before 2.3.5 for WordPress has file inclusion.

It was found that foreman, versions 1.x.x before 1.15.6, in Satellite 6 did not properly enforce access controls on certain resources. An attacker with access to the API and knowledge of the resource name can access resources in other organizations.

A vulnerability was found in liblouis, versions 2.5.x before 2.5.4. A stack-based buffer overflow was found in findTable() in liblouis. An attacker could create a malicious file that would cause applications that use liblouis (such as Orca) to crash, or potentially execute arbitrary code when opened.

handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header.