EUVD-2021-29852

Malicious code in bioql PyPI...

CVE-2023-39852

Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php. NOTE: this is disputed by a third party who claims that the userid is a session variable controlled by the server, and thus cannot be used for exploitation. The original reporter...

CVE-2023-39852

Doctormms v1.0 was discovered to contain a SQL injection vulnerability via the $userid parameter at myAppoinment.php. NOTE: this is disputed by a third party who claims that the userid is a session variable controlled by the server, and thus cannot be used for exploitation. The original reporter...

CVE-2023-38941

django-sspanel v2022.2.2 was discovered to contain a remote command execution RCE vulnerability via the component sspanel/adminview.py - GoodsCreateView.post...

CVE-2023-38941

The CVE-2023-38941 entry relates to django-sspanel v2022.2.2, with a remote command execution (RCE) vulnerability exposed through sspanel/admin_view.py -> GoodsCreateView._post. The connected sources consistently describe an RCE impact in this specific version; no vendor-provided patch Version...

CVE-2021-42897

A remote command execution RCE vulnerability was found in FeMiner wms V1.0 in /wms/src/system/datarec.php. The $POSTrname is directly passed into the $mysqlstr and is executed by exec...

Command injection

A remote command execution RCE vulnerability was found in FeMiner wms V1.0 in /wms/src/system/datarec.php. The $POSTrname is directly passed into the $mysqlstr and is executed by exec...

CVE-2021-42897

A remote command execution RCE vulnerability was found in FeMiner wms V1.0 in /wms/src/system/datarec.php. The $POSTrname is directly passed into the $mysqlstr and is executed by exec...

GHSA-G77V-M226-3F7G Froxlor PHP Object Injection vulnerability

Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnerability in Domain name form that can result in Possible information disclosure and remote code execution. This attack appear to be exploitable via Passing malicious PHP objection in $POST'sslipandport'. This vulnerability appears to...

CVE-2021-43689

manage last update Oct 24, 2017 is affected by a Cross Site Scripting XSS vulnerability in Application/Home/Controller/GoodsController.class.php. The exit function will terminate the script and print a message which have values from $POST...

CVE-2021-38356

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

CVE-2021-38356 NextScripts: Social Networks Auto-Poster <= 4.3.20 Reflected Cross-Site Scripting

The NextScripts: Social Networks Auto-Poster = 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $REQUEST'page' parameter which is echoed out on inc/nxsclasssnap.php by supplying the appropriate value 'nxssnap-post' to load the page in $GET'page' along with malicious...

Critical severity vulnerability in Ignition

The Ignition page before version 2.0.5 for Laravel mishandles globals, get, post, cookie, and env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix...

Code injection

The User Registration, User Profile, Login & Membership – ProfilePress Formerly WP User Avatar WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places...

CVE-2021-24522

CVE-2021-24522 affects ProfilePress (formerly WP User Avatar) for WordPress, before version 3.1.11. The tabbed login/register widget is vulnerable to unauthenticated reflected XSS due to improper escaping, with some cases enabling replication via $_GET because $_POST values were mapped to $_GET. ...

Newsletter < 6.8.2 - Authenticated PHP Object Injection

The ‘restoreoptionsfromrequest‘ function called by the AJAX function ‘tnpcrendercallback‘ runs ‘unserialize’ directly on ‘$options'inlineedits'’ which is provided by user input in the $POST‘options’ parameter. This creates the potential for an Object Injection vulnerability. For example, a user...

Cross site scripting

An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. It allows a stored XSS attack via the $POST'name' parameter...

Cross-Site Request Forgery (CSRF)

phpMyAdmin is vulnerable to cross-site request forgery CSRF. The readCredentials function in AuthenticationCookie plugin uses $REQUEST instead of $POST. This allows an attacker to trick a user and deliver malicious payload, through statements such as INSERT or DELETE, to the victim...

CVE-2019-11591

The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $POST'action' value and the $GET'action' value, and the latter is...

CVE-2019-11557

The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $POST'action' value and the $GET'action' value, and the...