PT-2025-17012 · Wpcafe · Wpcafe

Name of the Vulnerable Software and Affected Versions: WPCafe versions 2.2.32 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusion. This is a...

The vulnerability of the `setUpgradeFW` function in TOTOLINK CP450 router microprogramming software allows a hacker to execute arbitrary commands.

The vulnerability of the setUpgradeFW function in TOTOLINK CP450 router microprogramming software is related to the lack of measures for cleaning input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands through the FileName parameter...

CVE-2023-49031

Directory Traversal Local File Inclusion vulnerability in Tikit now Advanced eMarketing platform 6.8.3.0 allows a remote attacker to read arbitrary files and obtain sensitive information via a crafted payload to the filename parameter to the OpenLogFile endpoint...

CVE-2024-35401

TOTOLINK CP900L v4.1.5cu.798B20221228 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function...

CVE-2024-8550 Local File Inclusion (LFI) in modelscope/agentscope

A Local File Inclusion LFI vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4. This vulnerability allows an attacker to read arbitrary files from the server, including sensitive files such as API keys, by manipulating the filename parameter. The issue aris...

CVE-2021-40680

There is a Directory Traversal vulnerability in Artica Proxy 4.30.000000 SP206 through SP255, and VMware appliance 4.30.000000 through SP273 via the filename parameter to /cgi-bin/main.cgi...

WordPress System Dashboard plugin <= 2.8.17 - Reflected Cross-Site Scripting via Filename Parameter vulnerability

Reflected Cross-Site Scripting via Filename Parameter vulnerability discovered by vgo0 in WordPress Plugin System Dashboard versions = 2.8.17...

CVE-2024-12299

The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Filename parameter in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

CVE-2024-12299 System Dashboard <= 2.8.17 - Reflected Cross-Site Scripting via Filename Parameter

The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Filename parameter in all versions up to, and including, 2.8.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

CVE-2024-12299

CVE-2024-12299 (WordPress System Dashboard plugin) : Affected plugin versions

CVE-2024-12299 System Dashboard <= 2.8.17 - Reflected Cross-Site Scripting via Filename Parameter

The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Filename parameter in all versions up to, and including, 2.8.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

WordPress plugin System Dashboard 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plug-in. A cross-site scripting vulnerability exists i...

PT-2025-1807 · WordPress · System Dashboard

Name of the Vulnerable Software and Affected Versions: System Dashboard plugin for WordPress versions up to, and including, 2.8.15 Description: The issue is related to Reflected Cross-Site Scripting via the Filename parameter due to insufficient input sanitization and output escaping. This allows...

SourceCodester Online Courseware 代码注入漏洞

SourceCodester Online Courseware is a Sourcecodester open source online courseware system. A code injection vulnerability exists in SourceCodester Online Courseware version 1.0, which stems from an incorrect manipulation of the parameter fname that can lead to cross-site scripting attacks...

Viwis LMS 代码注入漏洞

Viwis LMS is a Learning Management System from Viwis Corporation, USA. A code injection vulnerability exists in Viwis LMS version 9.11, which stems from a cross-site scripting attack caused by manipulation of the filename parameter in the file upload component...

CVE-2024-54919

A Stored Cross Site Scripting XSS was found in /teacheravatar.php of kashipara E-learning Management System v1.0. This vulnerability allows remote attackers to execute arbitrary java script via the filename parameter...

Kashipara E-learning Management System 安全漏洞

Kashipara E-learning Management System is a learning management system from Kashipara. A security vulnerability exists in Kashipara E-learning Management System v1.0. An attacker can exploit this vulnerability to execute arbitrary Java script via the filename parameter...

PT-2024-36436 · Unknown · Kashipara E-Learning Management System

Name of the Vulnerable Software and Affected Versions: Kashipara E-learning Management System version 1.0 Description: A Stored Cross Site Scripting XSS issue was found in the /teacher avatar.php file. This allows remote attackers to execute arbitrary JavaScript via the filename parameter...

VulnCheck KEV: CVE-2024-39914

FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. This vulnerability is fixed in 1.5.10.34...

CVE-2024-53999 Mobile Security Framework (MobSF) Stored Cross-Site Scripting Vulnerability in "Diff or Compare" Functionality

Mobile Security Framework MobSF is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to th...