CVE-2025-4231

Palo Alto Networks PAN-OS is affected by CVE-2025-4231: an authenticated administrative user can execute commands as root via the management Web interface. Exploitation requires network access to the PAN-OS management UI and successful authentication. Cloud NGFW and Prisma Access are not impacted...

📄 FUDForum 3.2.0 Cross Site Scripting

FUDForum version 3.2.0 suffers from a persistent cross site scripting vulnerability. Exploit Title: FUDForum 3.2.0 Stored XSS Authenticated Exploit Author: tmrswrr Vendor Homepage: http://fudforum.org/ Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum3.2.0.zip/download Versi...

CVE-2024-22188

TYPO3 before 13.0.1 allows an authenticated admin user with system maintainer privileges to execute arbitrary shell commands with the privileges of the web server via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELT...

CVE-2024-5678

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature...

CVE-2024-8441

An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges to SYSTEM...

CVE-2024-31401

Cross-site scripting vulnerability in Cybozu Garoon 5.0.0 to 5.15.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script on the web browser of the user who is logging in to the product...

CVE-2024-23640

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting XSS vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a...

CVE-2024-9197

A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B firmware versions through V5.50ABPM.9.2C0 could allow an authenticated attacker with administrator privileges to cause a temporary denial of service DoS condition against the web...

CVE-2024-45962

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...

CVE-2024-45960

Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting XSS attack...

CVE-2023-25792

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in XiaoMac WP Open Social plugin = 5.0 versions...

CVE-2023-23367

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376...

CVE-2023-27429

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin = 5.4.4 versions...

CVE-2023-24530

SAP BusinessObjects Business Intelligence Platform CMC - versions 420, 430, allows an authenticated admin user to upload malicious code that can be executed by the application over the network. On successful exploitation, attacker can perform operations that may completely compromise the...

CVE-2022-25225

Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation PostgreSQL by exploiting this issue...

CVE-2022-1630

The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack...

CVE-2022-40199

Directory traversal vulnerability in EC-CUBE 3 series EC-CUBE 3.0.0 to 3.0.18-p4 and EC-CUBE 4 series EC-CUBE 4.0.0 to 4.1.2 allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information...

CVE-2022-34965

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an arbitrary file upload vulnerability via the component /ossn/administrator/cominstaller. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file. Note: The project owner believes this ...

CVE-2022-25220

PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code inside the markdown descriptions while creating a product, report or finding...

CVE-2022-45912

An issue was discovered in Zimbra Collaboration ZCS 8.8.15 and 9.0. Remote code execution can occur through ClientUploader by an authenticated admin user. An authenticated admin user can upload files through the ClientUploader utility, and traverse to any other directory for remote code execution...