220932 matches found
11in1 CMS 1.2.1 - Local File Inclusion (LFI)
Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. dot dot in the class parameter to 1 index.php or 2 admin/index.php. id: CVE-2012-0996 info: name: 11in1 CMS 1.2.1 - Local File Inclusion LFI author: daffainfo...
MinIO Browser API - Server-Side Request Forgery
MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability. id: CVE-2021-21287 info: name: MinIO Browser API - Server-Side Request Forgery author: pikpikcu severity: high description: MinIO Browser API before version...
WordPress W3 Total Cache <2.1.4 - Cross-Site Scripting
WordPress W3 Total Cache plugin before 2.1.4 is susceptible to cross-site scripting within the extension parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This can allow an attacker to convince an authenticated admin into clicking a link to run...
Accela Civic Platform <=21.1 - Cross-Site Scripting
Accela Civic Platform through 21.1 contains a cross-site scripting vulnerability via ssoAdapter/logoutAction.do successURL. id: CVE-2021-34370 info: name: Accela Civic Platform 21.1 that includes proper input validation and sanitization. reference: - https://www.exploit-db.com/exploits/49990 -...
WordPress Guppy <=1.1 - Information Disclosure
WordPress Guppy plugin through 1.1 is susceptible to an API disclosure vulnerability. This can allow an attacker to obtain all user IDs and then use them to make API requests to get messages sent between users and/or send messages posing as one user to another. id: CVE-2021-24997 info: name:...
WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be...
Yachtcontrol Webapplication 1.0 - Remote Command Injection
Yachtcontrol Webapplication 1.0 makes it possible to perform direct operating system commands as an unauthenticated user via the "/pages/systemcall.php?command=COMMAND" page and parameter, where COMMAND will be executed and returning the results to the client. Affects Yachtcontrol webservers...
kkFileView 4.1.0 - Cross-Site Scripting
kkFileView 4.1.0 is susceptible to cross-site scripting via the url parameter at /controller/OnlinePreviewController.java. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...
Aptana Jaxer 1.0.3.4547 - Local File inclusion
Aptana Jaxer 1.0.3.4547 is vulnerable to local file inclusion in the wikilite source code viewer. An attacker can read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI. id: CVE-2019-14312 info: name: Aptana Jaxer 1.0.3.4547 - Local File inclusion author: daffainfo...
HotelDruid 2.3.0 - Cross-Site Scripting
HotelDruid 2.3.0 contains a cross-site scripting vulnerability affecting nsextt, cambia1, mesefine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizzatabelle.php. id: CVE-2019-8937 info: name: HotelDruid 2.3.0 - Cross-Site Scripting author: LogicalHunte...
PilusCart <=1.4.1 - Local File Inclusion
PilusCart versions 1.4.1 and prior suffer from a file disclosure vulnerability via local file inclusion. id: CVE-2019-16123 info: name: PilusCart =1.4.2 or apply the vendor-supplied patch to mitigate the LFI vulnerability. reference: -...
Oracle Business Intelligence Publisher - XML External Entity Injection
Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publishe...
Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request Forgery
WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery. id: CVE-2019-8982 info: name: Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request...
L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting
L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter. id: CVE-2019-15501 info: name: L-Soft LISTSERV 16.5-2018a - Cross-Site Scripting author: LogicalHunter,arafatansari severity: medium description: | L-Soft LISTSERV befor...
DomainMOD <=4.13.0 - Cross-Site Scripting
DomainMOD through 4.13.0 contains a cross-site scripting vulnerability via /reporting/domains/cost-by-month.php in Daterange parameters. id: CVE-2019-15811 info: name: DomainMOD =4.13.1 to mitigate this vulnerability. reference: - https://www.exploit-db.com/exploits/47325 -...
SonicWall SonicOS 7.0 - Open Redirect
SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations...
Wavlink WN-533A8 - Cross-Site Scripting
Wavlink WN-533A8 M33A8.V5030.190716 contains a reflected cross-site scripting vulnerability via the loginpage parameter. id: CVE-2022-34048 info: name: Wavlink WN-533A8 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Wavlink WN-533A8 M33A8.V5030.190716 contains a...
Omnia MPX 1.5.0+r1 - Local File Inclusion
Telos Alliance Omnia MPX Node through 1.5.0+r1 is vulnerable to local file inclusion via logs/downloadMainLog. By retrieving userDB.json allows an attacker to retrieve cleartext credentials and escalate privileges via the control panel. id: CVE-2022-36642 info: name: Omnia MPX 1.5.0+r1 - Local Fi...
Wavlink WN535K2/WN535K3 - OS Command Injection
Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in /cgi-bin/touchlistsync.cgi via manipulation of the argument IP. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary...
FUDForum 3.1.0 - Cross-Site Scripting
FUDForum 3.1.0 contains a cross-site scripting vulnerability which allows remote attackers to inject JavaScript via index.php in the "srch" parameter. id: CVE-2021-27519 info: name: FUDForum 3.1.0 - Cross-Site Scripting author: kh4sh3i severity: medium description: | FUDForum 3.1.0 contains a...