PT-2023-6548 · Jmsblog +1 · Jmsblog +1

Name of the Vulnerable Software and Affected Versions: PrestaShop jmsblog version 2.5.5 Description: The issue is related to a lack of protection for the SQL query structure in the Jms Blog module of the PrestaShop e-commerce web application. This can be exploited by a remote attacker to execute...

PT-2023-20872 · Unknown · Onekeyadmin

Name of the Vulnerable Software and Affected Versions: onekeyadmin version 1.3.9 Description: The issue is related to a stored cross-site scripting XSS vulnerability. This vulnerability is present in the User Group module. Recommendations: For onekeyadmin version 1.3.9, consider disabling the Use...

PT-2023-20873 · Unknown · Onekeyadmin

Name of the Vulnerable Software and Affected Versions: onekeyadmin version 1.3.9 Description: The issue is related to a stored cross-site scripting XSS vulnerability. This vulnerability is present in the Admin Group module. Recommendations: For onekeyadmin version 1.3.9, consider disabling the...

SUSE CVE-2017-6931

In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. Th...

SUSE CVE-2018-18246

Icinga Web 2 before 2.6.2 has CSRF via /icingaweb2/config/moduledisable?name=monitoring to disable the monitoring module, or via /icingaweb2/config/moduleenable?name=setup to enable the setup module...

PT-2022-26676 · Silverstripe · Silverstripe/Subsites

Name of the Vulnerable Software and Affected Versions: Silverstripe silverstripe/subsites versions through 2.6.0 Description: The subsites module can weaken edit restrictions on some files, allowing a malicious user to edit files they do not have edit rights to. This issue only affects projects...

PT-2022-26273 · Liferay · Friendly Url Module +2

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.5 through 7.4.3.36 Liferay DXP 7.4 update 1 through 36 Description: The issue concerns the Friendly Url module, which does not properly check user permissions. This allows remote attackers to obtain the history o...

PT-2022-22583 · Unknown · Clinic'S Patient Management System

Name of the Vulnerable Software and Affected Versions: Clinic's Patient Management System version 1.0 Description: The issue is related to a cross-site scripting XSS vulnerability. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...

PT-2022-18246 · Unknown · Express-Fileupload

Name of the Vulnerable Software and Affected Versions: express-fileupload version 1.3.1 Description: An arbitrary file upload vulnerability in the file upload module of express-fileupload allows attackers to execute arbitrary code via a crafted PHP file. The vendor's position is that the observed...

PT-2021-20331 · Dolibarr · Dolibarr

Name of the Vulnerable Software and Affected Versions: Dolibarr version 13.0.2 Description: The website builder module in Dolibarr allows remote PHP code execution due to an incomplete protection mechanism. Specifically, while system, exec, and shell exec are blocked, backticks are not blocked,...

Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

✍️ Description Attacker able to disable any Personal Data module if users visit attacker site. 🕵️‍♂️ Proof of Concept 1.Open the PoC.html In Firefox or safari. 2.now you can check that Personal data module with id value equal to 1 have been disabled. // PoC.html history.pushState'', '', '/'...

CVE-2021-32746 Possible path traversal by use of the `doc` module

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the doc module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permissio...

Cross site scripting in the system log

Impact It is possible to inject code into the tllog table that will be executed in the browser when the system log is called in the back end. Patches Update to Contao 4.9.16 or 4.11.5. Workarounds Disable the system log module in the back end for all users especially admin users. References...

Design/Logic Flaw

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship...

PT-2021-13886 · Mongodb · Mongodb-Client-Encryption

Name of the Vulnerable Software and Affected Versions: mongodb-client-encryption module version 1.2.0 Description: The issue arises from the mongodb-client-encryption module's failure to correctly validate the KMS server's certificate. This could allow an attacker with a privileged network positi...

PT-2020-17040 · Oaid · Oaid Tengine Lite

Name of the Vulnerable Software and Affected Versions: OAID Tengine lite version v1.0 Description: The serializer module in OAID Tengine lite has a reported Buffer Overflow issue, which can cause a crash. However, there is some uncertainty regarding the existence of proof for this overflow...

PT-2019-18320 · Foxit · Foxit Reader

Name of the Vulnerable Software and Affected Versions: Foxit Reader version 9.4.16811 Description: This issue allows remote attackers to execute arbitrary code on vulnerable installations. User interaction is required, where the target must visit a malicious page or open a malicious file. The fla...

Drupal Login Disable Module Security Bypass Vulnerability

Drupal is a free, open-source content management system developed in PHP and maintained by the Drupal community.Login Disable is one of the modules that provides login denial functionality. A security vulnerability exists in the Drupal Login Disable module in versions 6.x-1.1 prior to 6.x-1.x and...

CVE-2015-8082

The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly load the userlogout function, which allows remote attackers to bypass the logout protection mechanism by leveraging a contributed user authentication module, as demonstrated by the CAS and URL...

Authentication flaw

The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly load the userlogout function, which allows remote attackers to bypass the logout protection mechanism by leveraging a contributed user authentication module, as demonstrated by the CAS and URL...