PT-2024-13454 · Ifair · Ifair

Name of the Vulnerable Software and Affected Versions: iFair versions 23.8 ad0 and before Description: The issue allows an attacker to obtain sensitive information via a crafted script. This is a Directory Traversal vulnerability, which means an attacker can access files and directories that are...

Cross site scripting

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel...

WonderCMS Security Breach

WonderCMS is an open source PHP-based content management system CMS. A security vulnerability exists in WonderCMS versions v.3.2.0 through v.3.4.2. An attacker can exploit this vulnerability to execute arbitrary code via specially crafted scripts uploaded to the installModule component...

CVE-2023-44760

Multiple Cross Site Scripting XSS vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an...

PT-2023-26770 · Unknown · Zlmediakit

Name of the Vulnerable Software and Affected Versions: ZLMediaKiet versions 4.0 through 5.0 Description: The issue allows an attacker to execute arbitrary code via a crafted script to the URL, potentially leading to the execution of malicious scripts. This is a Cross Site Scripting vulnerability...

MultiTech Conduit AP 跨站请求伪造漏洞

The MultiTech Conduit AP is a connector from MultiTech USA. A security vulnerability exists in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0. A remote attacker could exploit the vulnerability to execute arbitrary code via specially crafted scripts...

Editor.md 跨站脚本漏洞

Editor.md is an open source embedded online Markdown a markup language editor. A security vulnerability exists in Pandao Editor.md version v.1.5.0. A remote attacker can exploit this vulnerability to execute arbitrary code via specially crafted scripts on editor parameters...

HTML Cleaner allows crafted and SVG embedded scripts to pass through

...

ALPINE-CVE-2021-43818

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...

lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through

Impact The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5. Patches The issue has been resolved in lxml 4.6.5...

CVE-2021-33691

NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting XSS vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. If the victim ha...

Remote code execution

An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services...

postgresql: Uncontrolled search path element in CREATE EXTENSION

A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the searchpath safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or updat...

CVE-2020-9137

There is a privilege escalation vulnerability in some versions of CloudEngine 12800,CloudEngine 5800,CloudEngine 6800 and CloudEngine 7800. Due to insufficient input validation, a local attacker with high privilege may execute some specially crafted scripts in the affected products. Successful...

Privilege escalation

There is a privilege escalation vulnerability in some versions of CloudEngine 12800,CloudEngine 5800,CloudEngine 6800 and CloudEngine 7800. Due to insufficient input validation, a local attacker with high privilege may execute some specially crafted scripts in the affected products. Successful...

postgresql: Uncontrolled search path element in CREATE EXTENSION

A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the searchpath safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or updat...

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script during the installation or update of such extension. This affects PostgreSQL versions before 12.4 before 11.9 before 10.14 before 9.6.19 and before 9.5.23.

...

UBUNTU-CVE-2020-14350

It was found that some PostgreSQL extensions did not use searchpath safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affect...

The vulnerability of the Universal Plug and Play (UPnP) service in Windows operating systems allows attackers to enhance their privileges.

The vulnerability of the Universal Plug and Play UPnP service in Windows operating systems is related to errors in memory object handling. Exploiting this vulnerability can allow an attacker to enhance their privileges through a specially created application or a specially created script...

Remote code execution

A Remote Code ExecutionRCE vulnerability exists in some designated applications in ServiSign security plugin, as long as the interface is captured, attackers are able to launch RCE and executes arbitrary command on target system via malicious crafted scripts...