Source |
CVE Liste |
Identifiant |
3919281 |
Date de publication |
2022-01-03 13:15:08 (vue: 2022-01-03 16:06:40) |
Titre |
CVE-2021-24964 |
Texte |
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users. |
Envoyé |
Oui |
Condensat |
2021 24964 addition allowing are attacker attackers before being cache certain cloud code combining coming could cross css cve does enabled endpoint endpoints escaped forwarded from header issues litespeed make not one output pages payloads plugin properly put quic requests sanitised scripting servers set setting site some specific then those two unauthenticated used users using value verify visited which will without wordpress |
Tags |
|
Stories |
|
Notes |
|
Move |
|