44 matches found
Umbraco Forms path traversal vulnerability
Umbraco Forms is a form-building tool developed by the Umbraco company. Versions 16 and 17 of Umbraco Forms contain a path traversal vulnerability. This vulnerability allows authenticated backend users to enumerate and traverse system file paths, potentially leading to the reading of file content...
Insufficient Granularity of Access Control
Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the properties API endpoint. An attacker can access and retrieve the complete list of configurable metadata definitions by sending requests as an authenticated backend user without explicit...
Insufficient Granularity of Access Control
Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via the favorite-output-definitions-table-proxy API endpoint. An attacker can access or modify configurations without proper authorization by sending requests as an authenticated backend user w...
CVE-2026-23496
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an...
EUVD-2023-51556
Malicious code in bioql PyPI...
CVE-2023-47444
An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server...
Command Injection
Overview nitsan/ns-backup is an extension for TYPO3 that lets you save your code, files, and database with just a few clicks. Install Backup Plus and connect it to your cloud storage like Google Drive, Dropbox, Amazon S3, SFTP, Rsync, etc.. Affected versions of this package are vulnerable to...
Contao 路径遍历漏洞
Contao is Contao open source a set of open source content management system CMS developed using PHP. The system supports search engines, rights management and CSS frameworks. A path traversal vulnerability exists in versions prior to Contao 4.13.49, which stems from a back-end authenticated user...
CVE-2023-44381
October is a Content Management System CMS and web platform to assist with development workflow. An authenticated backend user with the editor.cmspages, editor.cmslayouts, or editor.cmspartials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to...
Template Injection
October CMS is vulnerable to Template Injection. The vulnerability is caused by a crafted request which includes PHP code in the CMS template, where an authenticated backend user possessing the editor.cmspages, editor.cmslayouts, or editor.cmspartials can execute arbitrary PHP code even when the...
TYPO3 vulnerable to Insecure Unserialize via Content Editing Wizards component
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an...
GHSA-4R6G-XHX7-FM36 Contao Core directory traversal vulnerability
Directory traversal vulnerability in Contao before 3.2.19, and 3.4.x before 3.4.4 allows remote authenticated backend users to view files outside their file mounts or the document root via unspecified vectors...
GHSA-RGF6-9Q7G-55QG Typo3 Function Menu API XSS Vulnerability
Cross-site scripting XSS vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
TYPO3 Direct Mail Component Information Disclosure Vulnerability (CNVD-2020-28942)
TYPO3 is a free and open source content management system framework CMS/CMF of the Swiss TYPO3 Association. A security vulnerability exists in the Direct Mail component of TYPO3 5.2.3 and prior versions, which originates from the program's inability to check whether an authenticated back-end user...
CVE-2014-3949
Cross-site scripting XSS vulnerability in the layout wizard in the Grid Elements gridelements extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
Cross site scripting
Cross-site scripting XSS vulnerability in the layout wizard in the Grid Elements gridelements extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
CVE-2014-3949
Cross-site scripting XSS vulnerability in the layout wizard in the Grid Elements gridelements extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...
CVE-2014-3949
CVE-2014-3949 describes a cross-site scripting (XSS) vulnerability in the Grid Elements (gridelements) TYPO3 extension. The issue affects the layout wizard in versions before 1.5.1 and 2.0.x before 2.0.3, allowing a remote authenticated backend user to inject arbitrary script or HTML via unspecif...
CVE-2013-7075
The Content Editing Wizards component in TYPO3 4.5.0 through 4.5.31, 4.7.0 through 4.7.16, 6.0.0 through 6.0.11, and 6.1.0 through 6.1.6 allows remote authenticated backend users to unserialize arbitrary PHP objects, delete arbitrary files, and possibly have other unspecified impacts via an...
CVE-2012-6148
Cross-site scripting XSS vulnerability in the function menu API in TYPO3 4.5.x before 4.5.21, 4.6.x before 4.6.14, and 4.7.x before 4.7.6 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...