Buddyboss: Security Vulnerabilities
Cross-Site Scripting vulnerability
in BuddyBoss 2.2.9 version
, which could allow a local attacker with basic privileges to execute a malicious payload through the "[name]=image.jpg" parameter, allowing to assign a persistent javascript payload that would be triggered when the associated image is loaded.
CVSS Score
9.0
EPSS Score
0.002
Published
2023-10-03
A stored XSS vulnerability has been found on BuddyBoss Platform affecting version 2.2.9. This vulnerability allows an attacker to store a malicious javascript payload via POST request when sending an invitation.
CVSS Score
6.3
EPSS Score
0.002
Published
2023-10-03
BuddyBoss Platform through 1.8.0 allows XSS via the Group Name or Group Description field.
CVSS Score
5.4
EPSS Score
0.005
Published
2022-01-26
BuddyBoss Platform through 1.8.0 allows remote attackers to obtain the email address of each user. When creating a new user, it generates a Unique ID for their profile. This UID is their private email address with symbols removed and periods replaced with hyphens. For example. JohnDoe@example.com would become /members/johndoeexample-com and Jo.test@example.com would become /members/jo-testexample-com. The members list is available to everyone and (in a default configuration) often without authentication. It is therefore trivial to collect a list of email addresses.
CVSS Score
5.3
EPSS Score
0.008
Published
2022-01-26
The buddyboss-media plugin through 3.2.3 for WordPress has stored XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-09-09
Page 2