The vulnerability of the remote function (application\admin\controller\Upload.php) in the tpAdmin library allows a attacker to perform an SSRF attack.

The vulnerability of the remote function in the application\admin\controller\Upload.php file of the tpAdmin library is related to insufficient validation of requests on the server side. Exploiting this vulnerability allows a malicious actor to perform an SSRF attack...

Online Ordering System 跨站脚本漏洞

Online Ordering System is a multi-store ordering system for janobe individual developers. It can be used for any small business. A cross-site scripting vulnerability exists in SourceCodester Gadget Works Online Ordering System version 1.0, which stems from a problem with the file...

CVE-2023-26957

onekeyadmin v1.3.9 was discovered to contain an arbitrary file delete vulnerability via the component \admin\controller\plugins...

CVE-2023-26957

onekeyadmin v1.3.9 was discovered to contain an arbitrary file delete vulnerability via the component \admin\controller\plugins...

SENS 跨站脚本漏洞

SENS is an enterprise blog system by saysky individual developer. A cross-site scripting vulnerability exists in SENS v1.0, which originates from a cross-site scripting attack XSS on com.liuyanzhao.sens.web.controller.admin, getRegister...

PT-2022-27637 · Sens · Sens

Name of the Vulnerable Software and Affected Versions: SENS version 1.0 Description: The issue is related to Cross Site Scripting XSS via the com.liuyanzhao.sens.web.controller.admin controller, specifically the getRegister function. This allows for potential malicious script execution...

PT-2022-26790 · Xxl-Job · Xxl-Job

Name of the Vulnerable Software and Affected Versions: XXL-Job versions prior to 2.3.1 Description: The issue is related to a Server-Side Request Forgery SSRF in the component /admin/controller/JobLogController.java. This allows for potential exploitation. Recommendations: For versions prior to...

GHSA-QC43-PGWQ-3Q2Q Shopware access control list bypassed via crafted specific URLs

Impact If backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do. Patches We recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or...

CVE-2022-26630

Jellycms v3.8.1 and below was discovered to contain an arbitrary file upload vulnerability via \app.\admin\Controllers\db.php...

XpressEngine 跨站脚本漏洞

XpressEngine XE is a CMS Content Management System that allows anyone to publish content easily, conveniently and freely. With an open source license, anyone can use or modify it, and as an open project, anyone can participate in its development. XE suffers from a security vulnerability that stem...

CVE-2020-20605

Blog CMS v1.0 contains a cross-site scripting XSS vulnerability in the /controller/CommentAdminController.java component...

xujinliang zibbs 跨站脚本漏洞

zibbs is a php light forum system developed on bootstrap. zibbs version 1.0 has a cross-site scripting vulnerability in application/controllers/AdminController.php. An attacker can exploit this vulnerability to execute arbitrary code via the bbsmeta parameter...

GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GravCMS Remote Command Execution', 'Description' = %q This module exploits arbitrary config write/update vulnerability to achieve remote code...

SQL Injection

In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection...

CVE-2019-10684

Application/Admin/Controller/ConfigController.class.php in 74cms v5.0.1 allows remote attackers to execute arbitrary PHP code via the index.php?m=Admin&c=config&a=edit sitedomain parameter...

CVE-2019-5310

YUNUCMS 1.1.8 is affected by a cross‑site scripting vulnerability in app/admin/controller/System.php. The issue allows crafted data to be written to the sys.php file, demonstrated by using site_title in an admin/system/basic POST request. This represents an XSS risk as described across multiple s...

SDCMS Directory Traversal Vulnerability

SDCMS is a PHP and MySQL based enterprise station building content management system CMS from China Fireworks Network Technology Company. A directory traversal vulnerability exists in the app/plug/attachment/controller/admincontroller.php page in SDCMS version 1.6. The vulnerability can be...

Sql injection

apps\admin\controller\content\SingleController.php in PbootCMS before V1.3.0 build 2018-11-12 has SQL Injection, as demonstrated by the POST data to the admin.php/Single/mod/mcode/1/id/3 URI...

SQL Injection Vulnerability in Uc365 Website Category Navigation System

Yuko 365 website classification navigation system is an open source navigation management system based on PHP + MYSQL development and construction. Uke365 website navigation system v1.1.3 app/admin/controller/ar.php page SQL injection vulnerability , the vulnerability stems from the system fails ...

SDcms Cross-Site Request Forgery Vulnerability

SDcms is a PHP and MySQL based enterprise building content management system CMS by China Smoke & Fire Network Technology. A cross-site request forgery vulnerability exists in the /WWW//app/admin/controller/admincontroller.php file in SDcms version 1.5. A remote attacker can exploit this...