CVE Database

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).

Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.

Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.

Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.

Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions.

Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions.

Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.

Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions.

Subscriber Cross Site Scripting (XSS) in Modula Image Gallery <= 2.14.23 versions.

Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.

Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions.

Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.

Unauthenticated Sensitive Data Exposure in Bookly <= 27.4 versions.

Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions.

Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.

Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.

Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.

Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions.

Custom role Path Traversal in WP Customer Area <= 8.3.4 versions.

Subscriber Sensitive Data Exposure in Contest Gallery <= 28.1.7 versions.

Subscriber Broken Access Control in Advanced Form Integration <= 1.126.12 versions.

Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.3.8 versions.

Unauthenticated Other Vulnerability Type in Contest Gallery <= 28.1.7 versions.

Subscriber Cross Site Scripting (XSS) in Contest Gallery <= 28.1.6 versions.

Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions.

Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions.

Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions.

Unauthenticated Cross Site Scripting (XSS) in Favicon Rotator <= 1.2.11 versions.

Unauthenticated Broken Access Control in Classified Listing <= 5.3.8 versions.

Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.

Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.

Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.

Unauthenticated Sensitive Data Exposure in Simply Schedule Appointments < 1.6.11.2 versions.

Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.

Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions.

Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.

Unauthenticated Broken Authentication in Simple Cloudflare Turnstile <= 1.38.0 versions.

Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.

Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions.

Subscriber Broken Access Control in Amelia <= 2.2 versions.

Subscriber Broken Access Control in myCred <= 3.0.3 versions.

Subscriber Broken Access Control in Groundhogg < 4.4.1 versions.

Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.

Unauthenticated Cross Site Scripting (XSS) in WP Time Slots Booking Form <= 1.2.46 versions.

Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions.

Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions.

Subscriber Broken Access Control in ChatBot <= 7.9.7 versions.

Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.0.0 versions.

Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.

Unauthenticated Broken Access Control in WPAdverts <= 2.3.0 versions.