378 matches found
DEBIAN-CVE-2017-16660
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remoteagent.php request containing PHP code in a Client-ip header...
CVE-2015-9230
The CVE-2015-9230 entry relates to the BulletProof Security WordPress plugin. Affected component: admin/db-backup-security/db-backup-security.php. Root cause: cross-site scripting (XSS) vulnerability via the DBTablePrefix parameter in plugin versions prior to 0.52.5, exploitable by remote authent...
CVE-2017-11715
job/uploadfilesave.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php...
CVE-2017-11715
job/uploadfilesave.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php...
CVE-2017-11405
In CMS Made Simple CMSMS 2.2.2, remote authenticated administrators can upload a .php file via a CMSContentManager action to admin/moduleinterface.php, followed by a FilePicker action to admin/moduleinterface.php in which type=image is changed to type=file...
CVE-2017-11404
In CMS Made Simple CMSMS 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php...
CVE-2017-11404
In CMS Made Simple CMSMS 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php...
Deserialization of untrusted data
application/core/controller/images.php in FineCMS through 2017-07-12 allows remote authenticated admins to conduct XSS attacks by uploading an image via a route=images action...
CVE-2017-9836
Cross-site scripting XSS vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtualname parameter to /admin.php i.e., creating a virtual album...
CVE-2017-5966
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter...
CVE-2016-9100
Symantec Advanced Secure Gateway ASG 6.6 prior to 6.6.5.13, ASG 6.7 prior to 6.7.3.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6 prior to 6.6.5.13, and ProxySG 6.7 prior to 6.7.3.1 are susceptible to an information disclosure vulnerability. An attacker with local access to the client host of an...
WordPress Crontrol Plugin <= 1.2.3 - Cross Site Scripting (XSS)
Because of this vulnerability, authenticated administrators can store HTML and JS code. Vulnerable parameters: "idhookname", "idsig", "idnextrun", "idargscode". Solution Update the plugin...
CollabNet Subversion Edge indes local file inclusion
Vuln Title: Local file inclusion in CollabNet Subversion Edge Management Frontend via logfile "listViewItem" parameter of the "index" action Date: 28.06.2015 Author: otr Software Link: https://www.open.collab.net/downloads/svnedge Vendor: CollabNet Version: 4.0.11 Tested on: Fedora Linux Type:...
WordPress WP Fast Cache Plugin <= 1.4 - Multiple Vulnerabilities
This plugin is prone to cross site request forgery attacks, which can also be combined with XSS attacks authenticated administrators only. Solution Update the plugin...
CVE-2015-0580
Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System ACS before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027...
CVE-2014-9193
Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting...
Sql injection
SQL injection vulnerability in the photo-edit subsystem in Piwigo 2.6.x and 2.7.x before 2.7.0beta2 allows remote authenticated administrators to execute arbitrary SQL commands via the associate field...
Command injection
The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.11, 4.0.x before 4.0.8, and 4.1.x before 4.1.1 allows remote authenticated administrators to execute arbitrary commands via unspecified vectors, aka Ref ID 34299...
CVE-2012-2163
IBM Scale Out Network Attached Storage SONAS 1.1 through 1.3.1 allows remote authenticated administrators to execute arbitrary Linux commands via the 1 Command Line Interface or 2 Graphical User Interface, related to a "code injection" issue...
CVE-2012-1012
server/serverstubs.c in the kadmin protocol implementation in MIT Kerberos 5 aka krb5 1.10 before 1.10.1 does not properly restrict access to 1 SETSTRING and 2 GETSTRINGS operations, which might allow remote authenticated administrators to modify or read string attributes by leveraging the global...