WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on PHP and MySQL servers.WordPress Plugin is an open source application plugin for WordPress. A security vulnerability exists in the WordPress...

Scribble Maps <= 1.2 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the /includes/admin.php file which allows attackers to inject arbitrary web scripts...

CVE-2020-19304

An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information...

CVE-2020-26806

admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code...

PT-2021-10786 · Flatpress · Flatpress

Name of the Vulnerable Software and Affected Versions: FlatPress version 1.1 Description: A Cross Site Request Forgery CSRF issue exists, allowing unauthorized actions. The DeleteFile function in flat/admin.php is affected. Recommendations: For FlatPress version 1.1, consider disabling the...

CVE-2020-20363

Crossi Site Scripting XSS vulnerability in PbootCMS 2.0.3 in admin.php...

CVE-2020-25716

A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only to system administrator. This is the affect of an incomplete fix for CVE-2020-10783. The highest...

CVE-2021-30147

DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such as adding new manager accounts via admin.php...

Cloudforms: Incomplete fix for CVE-2020-10783

A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only to system administrator. This is the affect of an incomplete fix for CVE-2020-10783. The highest...

ImpressCMS Cross-Site Scripting Vulnerability

ImpressCMS is a MySQL-based, modular content management system CMS. The system includes modules for press releases, forums and photo albums. A cross-site scripting vulnerability exists in modules/system/admin.php in ImpressCMS 1.4.0. An attacker can exploit this vulnerability to achieve remote co...

CloudForms: Missing access control leads to escalation of admin group privileges

A role-based privileges escalation flaw was found in Red Hat CloudForms where export or import of administrator files was possible. An attacker with EVM-Operator group can perform actions restricted only to system administrator. Refer CVE-2020-25716 for remaining RBAC group fixes...

DNN Information Disclosure Vulnerability

DNN also known as DotNetNuke is a set of U.S. DNN by Microsoft support , based on the ASP.NET platform for open source content management system CMS. The system is easy to install , scalable , feature-rich and so on. DNN formerly DotNetNuke 9.5 version of the embedded...

Information disclosure

There is an information disclosure issue in DNN formerly DotNetNuke 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager other than ones contained in a secure folder by sending themselves a message...

PT-2020-12138 · Chadha · Chadha Phpkb Standard Multi-Language

Name of the Vulnerable Software and Affected Versions: Chadha PHPKB Standard Multi-Language version 9 Description: The issue allows attackers to inject arbitrary web script or HTML via the GET parameter p in the admin/edit-news.php file. This enables attackers to perform a reflected XSS attack...

UBUNTU-CVE-2020-7106

Cacti 1.2.8 has stored XSS in datasources.php, colortemplatesitem.php, graphs.php, graphitems.php, lib/apiautomation.php, useradmin.php, and usergroupadmin.php, as demonstrated by the description parameter in datasources.php a raw string from the database that is displayed by $header to trigger t...

PT-2020-19374 · Cacti +2 · Cacti +2

Name of the Vulnerable Software and Affected Versions: Cacti version 1.2.8 Description: The issue concerns stored XSS in several PHP files, including data sources.php, color templates item.php, graphs.php, graph items.php, lib/api automation.php, user admin.php, and user group admin.php. This is...

SQL injection vulnerability in ps*** method of seacms backend ad***_ne***.php file

seacms ocean film and television management system, ocean cms is based on PHP + MySql technology development of video on demand system. seacms background adne.php file ps method exists SQL injection vulnerability, attackers can use the vulnerability to obtain sensitive information...

CVE-2019-13973

LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the customlogo filename suffix is not restricted, and .php may be used...

ALPINE-CVE-2019-12449

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move and copy with GFILECOPYALLMETADATA operations from admin:// to file:// URIs, because root privileges are unavailable...

CVE-2019-7173

A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4...