WordPress Child Theme Creator by Orbisius plugin <= 1.5.1 - Cross-Site Request Forgery (CSRF) to Arbitrary File Modification/Creation vulnerability

Cross-Site Request Forgery CSRF to Arbitrary File Modification/Creation vulnerability found by Chloe Chamberland in WordPress Child Theme Creator by Orbisius plugin versions = 1.5.1. Solution Update the WordPress Child Theme Creator by Orbisius plugin to the latest available version at least 1.5....

Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation

This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution RCE on a vulnerable site’s server. PoC The following will create hello.php in the...

Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation

This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution RCE on a vulnerable site’s server. The following will create hello.php in the...

CVE-2020-18185

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment...

CVE-2020-18185

Removed by vendor...

CVE-2020-24046

A sandbox escape issue was discovered in TitanHQ SpamTitan Gateway 7.07. It limits the admin user to a restricted shell, allowing execution of a small number of tools of the operating system. This restricted shell can be bypassed after changing the properties of the user admin in the operating...

CVE-2020-7119

A vulnerability exists in the Aruba Analytics and Location Engine ALE web management interface 2.1.0.2 and earlier firmware that allows an already authenticated administrative user to arbitrarily modify files as an underlying privileged operating system user...

CVE-2020-7119

A vulnerability exists in the Aruba Analytics and Location Engine ALE web management interface 2.1.0.2 and earlier firmware that allows an already authenticated administrative user to arbitrarily modify files as an underlying privileged operating system user...

Design/Logic Flaw

A vulnerability exists in the Aruba Analytics and Location Engine ALE web management interface 2.1.0.2 and earlier firmware that allows an already authenticated administrative user to arbitrarily modify files as an underlying privileged operating system user...

CVE-2020-7119

The vulnerability CVE-2020-7119 affects Aruba Analytics and Location Engine (ALE) web management interface versions up to 2.1.0.2. An authenticated administrative user can arbitrarily modify files as the underlying privileged OS user, indicating an privilege-escalation within the web interface. A...

Vertiv UPS Management Module FTP Service Arbitrary File Modification Vulnerability

Vertiv Technologies Limited Vertiv, was founded in 2000. Vertiv designs, manufactures and provides services for critical infrastructure equipment to keep data centers, communication networks, commercial and industrial facilities running well, and provides power supply and distribution, thermal...

CVE-2020-7583

A vulnerability has been identified in Automation License Manager 5 All versions, Automation License Manager 6 All versions V6.0.8. The application does not properly validate the users' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify...

Design/Logic Flaw

A vulnerability has been identified in Automation License Manager 5 All versions, Automation License Manager 6 All versions V6.0.8. The application does not properly validate the users' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify...

CVE-2020-7583

CVE-2020-7583 affects Automation License Manager 5 (all versions) and ALM 6 (all versions before 6.0.8). The root cause is improper privilege validation in certain operations, enabling a user with low privileges to arbitrarily modify files protected from writing (local access). CVSS v3.1 base sco...

CVE-2020-7583

A vulnerability has been identified in Automation License Manager 5 All versions, Automation License Manager 6 All versions V6.0.8. The application does not properly validate the users' privileges when executing some operations, which could allow a user with low permissions to arbitrary modify...

CVE-2020-6293

SAP NetWeaver Knowledge Management, versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access...

Siemens Automation License Manager

1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low skill level to exploit Vendor: Siemens Equipment: Automation License Manager ALM Vulnerability: Improper Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to locally escalate privileges and modify...

CVE-2020-15651

A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS 28...

CVE-2020-7518

CVE-2020-7518 affects Schneider Electric Easergy Builder (versions 1.4.7.2 and older). The vulnerability is caused by improper input validation (CWE-20) that could allow an attacker to modify project configuration files. The Red Hat, CNVD, and NVD entries align on the same vulnerability descripti...

Security Update for Microsoft SharePoint Foundation 2013 (KB4484448) farm-deployment

A security vulnerability exists in Microsoft SharePoint Foundation 2013 that could allow arbitrary code to run when a maliciously modified file is opened. This update resolves that vulnerability...