64 matches found
CVE-2025-35052 Newforma Info Exchange (NIX) shared hard-coded secret key
Newforma Info Exchange NIX uses a hard-coded key to encrypt certain query parameters. Some encrypted parameter values can specify paths to download files, potentially bypassing authentication and authorization, for example, the 'qs' parameter used in '/DownloadWeb/download.aspx'. This key is shar...
EUVD-2010-2346
Malware in sbrugna...
EUVD-2010-2344
Malware in sbrugna...
Mahara < 23.04.9, 24.04.5 Multiple Vulnerabilities
Mahara is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mahara:mahara"; if description...
CVE-2025-5588
CVE-2025-5588 : The Image Editor by Pixo WordPress plugin is vulnerable to a Stored Cross-Site Scripting (Stored XSS) via the download parameter. Affected versions are up to and including 2.3.6. The issue arises from insufficient input sanitization and output escaping, enabling an authenticated a...
CVE-2010-2336
index.php in Yamamah Photo Gallery 1.00 allows remote attackers to obtain the source code of executable files within the web document root via the download parameter...
CVE-2024-13435
The Ebook Downloader plugin for WordPress is vulnerable to SQL Injection via the 'download' parameter in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
PT-2025-6459 · WordPress · Ebook Downloader
Name of the Vulnerable Software and Affected Versions: Ebook Downloader plugin for WordPress versions prior to 1.1 Description: The issue is related to SQL Injection via the download parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the...
CVE-2023-24676
An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the downloadzipurl parameter when installing a new module. NOTE: this is disputed because exploitation requires that the attacker is able to enter requests as an admin; however, a...
QR Code Generator Cross-Site Scripting Vulnerability
QR Code Generator is a QR code generator website. A cross-site scripting vulnerability exists in code-projects QR Code Generator version 1.0, which stems from the parameter file in the file /download.php?file=author.png that causes cross-site scripting...
CVE-2023-43206
D-LINK DWL-6610 FWv4.3.0.8B003C was discovered to contain a command injection vulnerability in the function webcertdownloadhandler. This vulnerability allows attackers to execute arbitrary commands via the certDownload parameter...
Dooblou WiFi File Explorer 跨站脚本漏洞
Dooblou WiFi File Explorer is a free WiFi file explorer from Dooblou. A cross-site scripting vulnerability exists in Dooblou WiFi File Explorer version 1.13.3, which stems from the parameter search/order/download/mode that causes cross-site scripting...
PT-2022-26845 · Unknown · Simple E-Learning System
Name of the Vulnerable Software and Affected Versions: Simple E-Learning System version 1.0 Description: An information disclosure issue exists in the component "vcs/downloadFiles.php?download=./search.php" of Simple E-Learning System, allowing attackers to read arbitrary files. Recommendations:...
OcoMon SQL注入漏洞
OcoMon is a helpdesk system from the personal developer Rafael Foster. It is designed to manage integrated inventory control that supports tickets and computing devices. An SQL injection vulnerability exists in OcoMon version v4.0, which stems from the cod parameter in download.php being vulnerab...
CVE-2022-34878
SQL Injection vulnerability in User Stats interface /vicidial/userstats.php of VICIdial via the filedownload parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and beco...
CVE-2020-27467
A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php...
CVE-2020-27467
A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php...
Lfi-ProcessWire Cms 路径遍历漏洞
Ryan Cramer Design Lfi-ProcessWire Cms is a free Content Management System Cms and Framework Cmf from Ryan Cramer Design USA designed to save you time and work the way you want. A path traversal vulnerability exists in Ryan Cramer Design Lfi-ProcessWire Cms versions prior to 2.7.1, which stems fr...
CVE-2020-36486
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting XSS vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling...
CVE-2021-26698
OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet user-generated content when a sharing link is created and the dl parameter is used...