8790 matches found
less: OS command injection
An OS command injection flaw was found in Less. Since quoting is mishandled in filename.c, opening files with attacker-controlled file names can lead to OS command execution. Exploitation requires the LESSOPEN environment variable, which is set by default in many common cases...
CVE-2024-36420
Flowise CVE-2024-36420 affects Flowise v1.4.3, where the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to insufficient sanitization of the fileName body parameter. The issue enables reading arbitrary files on the server and is documented across multi...
Weblate Security Vulnerability
Weblate is a web-based free software continuous localization system from Copyleft. A security vulnerability exists in Weblate versions prior to 5.6.2, which stems from a failure to properly validate filenames when restoring project backups, allowing unauthorized access to files on the server usin...
PT-2024-26988
Name of the Vulnerable Software and Affected Versions Flowise version 1.4.3 Description The issue concerns a lack of sanitization of the fileName body parameter in the "/api/v1/openai-assistants-file" endpoint, which is located in the index.ts file. This lack of sanitization leads to an arbitrary...
Flowise Security Vulnerabilities
Flowise is a tool for easily building LLM applications. A security vulnerability exists in Flowise version 1.4.3, which stems from a lack of cleanup of the fileName parameter, leaving /api/v1/openai-assistants-file in index.ts vulnerable to arbitrary file read attacks...
Concept Intermedia S@M CMS Security Vulnerability
Concept Intermedia S@M CMS is a content management system from Concept Intermedia, Inc. A security vulnerability exists in Concept Intermedia S@M CMS version 3.3 and earlier, which stems from a reflective cross-site scripting attack realized by including script in the requested filename...
USN-6856-1 fontforge vulnerabilities
It was discovered that FontForge incorrectly handled filenames. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a command injection. CVE-2024-25081 It was discovered that FontForge incorrectly...
Astra Linux – Vulnerability in exim4
In versions of Exim up to 4.97.1, Misparse processes multi-line RFC 2231 header filenames. As a result, remote attackers can bypass the protection mechanism that blocks $mimefilename extensions, and potentially deliver executable attachments to the mailboxes of end users...
Malicious code in filename (PyPI)
--- -= Per source details. Do not edit below this line.=-...
MAL-2024-5141 Malicious code in filename (PyPI)
--- -= Per source details. Do not edit below this line.=-...
PT-2024-6226
Name of the Vulnerable Software and Affected Versions: Django versions 4.2 through 4.2.13 Django versions 5.0 through 5.0.6 Description: The issue is related to derived classes of the django.core.files.storage.Storage base class that override the generate filename function without replicating the...
CVE-2024-21519
OpenCart opencart/opencart (v4.0.0.0) is affected by an Arbitrary File Creation vulnerability exposed via the database restoration functionality. The root cause is PHP code injection into the database, allowing an attacker with admin privileges to create a backup file with an arbitrary filename (...
CVE-2024-37673
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter...
CVE-2024-37673
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter...
PT-2024-27708 · Tessi · Tessi Docubase Document Management
Name of the Vulnerable Software and Affected Versions: Tessi Docubase Document Management product versions 5.x Description: The issue allows a remote attacker to execute arbitrary code via the filename parameter. This is a Cross Site Scripting vulnerability. Recommendations: For Tessi Docubase...
Tessi Docubase Document Management Security Vulnerability
Tessi Docubase Document Management is a document management and process automation software from Tessi. A security vulnerability exists in Tessi Docubase Document Management version 5.x. A remote attacker could exploit the vulnerability to execute arbitrary code via the filename parameter...
PT-2024-11656 · Kostal · Kostal Piko 1.5-1 Mp Plus Hmi Oem P
Name of the Vulnerable Software and Affected Versions: Kostal PIKO 1.5-1 MP plus HMI OEM p version 1.0.1 Description: The web application for the Solar Panel is vulnerable to a Stored Cross-Site Scripting XSS attack on the API endpoint "/file.bootloader.upload.html". The application fails to...
CVE-2024-37673
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter...
PT-2024-18928 · Opencart · Opencart
Name of the Vulnerable Software and Affected Versions: opencart/opencart version 4.0.0.0 Description: A reflected XSS issue was identified in the filename parameter of the "admin tool/log" route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. T...
Reflected Cross-site Scripting
Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Reflected Cross-site Scripting. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to clic...