55 matches found
Cxuucms 跨站请求伪造漏洞
CxuuCms is an easy-to-use, open source PHP+Mysql based content management system. CXUUCMS 3.1 suffers from a cross-site request forgery vulnerability. An attacker can add an administrator account via admin.php?c=adminuser&a=add to exploit this vulnerability...
Cross site scripting
A reflected cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 when the feature that adds a secret key to the Admin URL is...
GHSA-7RP2-FM2H-WCHJ Django Cross-site Scripting in AdminURLFieldWidget
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...
PYSEC-2019-79
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...
CVE-2019-11374
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI...
CVE-2019-6249
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=editinfo&acttype=add...
WordPress Metronet Tag Manager Cross-Site Request Forgery Vulnerability
WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports PHP and MySQL servers to set up a personal blog site.Metronet Tag Manager is used in one of the tracking code manager plugin. A cross-site request forgery vulnerabilit...
CVE-2018-10266
BEESCMS 4.0 has a CSRF vulnerability to add an administrator account via the admin/adminadmin.php?nav=listadminuser&adminpnav=user URI...
PbootCMS Cross-Site Request Forgery Vulnerability
PbootCMS is an open source enterprise building content management system CMS developed using the PHP language. A cross-site request forgery vulnerability exists in PbootCMS version 0.9.8. A remote attacker can exploit this vulnerability by sending admin.php/Message/mod/id/19.html?backurl=/index.p...
agentsproperty.in XSS vulnerability
Vulnerable URL: http://www.agentsproperty.in/admin/index.php?msg=1%22%27--!%3E%3CScript%20/K/%3Econfirm'OPENBUGBOUNTY'%3C/Script%20/K/%3E Details: Description| Value ---|--- Patched:| No Latest check for patch:| 28.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa...
WordPress iMember360is 3.9.001 XSS / Disclosure / Code Execution
------------ BACKGROUND ------------ "iMember360is a WordPress plugin that will turn a normal WordPress site into a full featured membership site. It includes all the protection controls you can imagine, yet driven by Infusionsoft's second-to-none CRM and e-commerce engine." --...
WIWOS Enpowering Web Solutions SQL Injection Vulnerability
WIWOS Enpowering Web Solutions SQL Injection Vulnerability .:. Author : larcenciels .:. Contact : email protected | email protected .:. Site : http://winnerawan.com/ Dork: "Enpowered by: wiwos" dork: intext:"Enpowered by: wiwos" vuln: apps/ProductManager/ i use sqlmap poc:...
Smart Vision Script News SQL Injection Exploit
!usr/bin/perl Exploit Title: Smart Vision Script News newsdetail SQL Injection Exploit Date: 01-04-2010 Author: darkmasking This was written for educational purpose only. Use it at your own risk. Author will be not responsible for any damage! Vuln discovered by Err0R Smart Vision Script News...
Design/Logic Flaw
EQdkp 1.3.1 and earlier authenticates administrative requests by verifying that the HTTP Referer header specifies an admin/ URL, which allows remote attackers to read or modify account names and passwords via a spoofed Referer...
NPE in SpaceHelper borks page....
If you have a url for Space admin : http://server.name.com/spaces/listdecorators.action?key=BP2I And you get the space key wrong, then rather than failing gracefully, you end up with an sitemesh decoration of an empty page.... Looking at the code, you can see why: public String getSpaceName retur...