VINCE 安全漏洞

VINCE is an open source vulnerability information and coordination environment developed and used by the CERT Coordination Center in the United States. Vulnerability disclosure for improved coordination. A security vulnerability exists in VINCE versions prior to 3.0.8 that originates from an...

Vulnerabilities fixed in Ivanti Connect Secure and Policy Secure

Ivanti has fixed a vulnerability in Connect Secure and Policy Secure. UPDATE: POC code is now available online for this vulnerability. An authenticated malicious person with access to the admin portal of Connect Secure or Policy Secure can exploit the vulnerability to execute code remotely. Ivant...

Vulnerabilities fixed in Ivanti Cloud Services Appliance

Ivanti has fixed three vulnerabilities in Cloud Services Appliance. An authenticated malicious person who already has admin rights can exploit the vulnerabilities to remotely execute code and SQL statements, or bypass restrictions through path traversal. Ivanti reports that users of version 4.6...

VulnCheck KEV: CVE-2024-9380

Ivanti Cloud Services Appliance CSA contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS...

Esri Portal For ArcGIS 跨站脚本漏洞

Esri Portal For ArcGIS is a component from Environmental Systems Research Institute Esri that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS, which can be...

CVE-2024-45962

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...

CVE-2024-45960

Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting XSS attack...

CVE-2024-45962

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...

CVE-2024-45965

Contao before 5.5.6 allows XSS via an SVG document. This affects in contao/core-bundle in Composer 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6...

CVE-2024-45962

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...

CVE-2024-45962

CVE-2024-45962 affects October CMS 3.6.30. An authenticated admin can upload a PDF containing malicious JavaScript; when accessed via the website this can lead to XSS or potential arbitrary code execution in the target. No fixed version is published in the provided documents. Remediation guidance...

CVE-2024-45960

Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting XSS attack...

CVE-2024-45960

Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting XSS attack...

PT-2024-31857 · October · October

Name of the Vulnerable Software and Affected Versions: October versions 3.6.30 Description: The issue allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site...

CVE-2024-45965

Contao before 5.5.6 allows XSS via an SVG document. This affects in contao/core-bundle in Composer 4.x before 4.13.54, 5.0.x through 5.3.x before 5.3.30, and 5.4.x and 5.5..x before 5.5.6...

CVE-2024-45965

CVE-2024-45965 — Contao SVG upload XSS : The vulnerability affects Contao Core Bundle via SVG uploads, enabling stored XSS when an attacker (or authenticated admin) uploads a crafted SVG. Affected versions are: 4.x prior to 4.13.54; 5.0.x–5.3.x prior to 5.3.30; and 5.4.x and 5.5.x prior to 5.5.6....

CVE-2024-45983

A Cross-Site Request Forgery CSRF vulnerability exists in kishan0725's Hospital Management System version 6.3.5. The vulnerability allows an attacker to craft a malicious HTML form that submits a request to delete a doctor record. By enticing an authenticated admin user to visit the specially...

PT-2024-31869 · Unknown · Hospital Management System

Name of the Vulnerable Software and Affected Versions: kishan0725's Hospital Management System version 6.3.5 Description: A Cross-Site Request Forgery CSRF issue exists, allowing an attacker to craft a malicious HTML form that submits a request to delete a doctor record. By enticing an...

CVE-2022-2439

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'uploadfile' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using...

WordPress Easy Digital Downloads plugin <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization vulnerability

Authenticated Admin+ PHAR Deserialization vulnerability discovered by Rasoul Jahanshahi in WordPress Plugin Easy Digital Downloads versions = 3.3.3...