CVE-2023-45881

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resourcesaddQuickajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response...

Updated zlib packages fix a security vulnerability

The updated packages fix a security vulnerability: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip464 via a long filename, comment, or extra field. CVE-2023-45853...

NewStart CGSL MAIN 6.06 : ctags Vulnerability (NS-SA-2023-0143)

The remote NewStart CGSL host, running version MAIN 6.06, has ctags packages installed that are affected by a vulnerability: - A flaw was found in Exuberant Ctags in the way it handles the -o option. This option specifies the tag filename. A crafted tag filename specified in the command line or i...

CVE-2023-46789

Online Matrimonial Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'filename' attribute of the 'pic1' multipart parameter of the functions.php resource does not validate the characters received and they are sent unfiltered to the database...

PT-2023-30219 · Unknown · Online Matrimonial Project

Name of the Vulnerable Software and Affected Versions: Online Matrimonial Project version 1.0 Description: The issue concerns Unauthenticated SQL Injection vulnerabilities. Specifically, the filename attribute of the pic4 multipart parameter is vulnerable. Recommendations: For Online Matrimonial...

GHSA-GV2C-5G79-H73C Ibexa ezplatform-kernel download route allows filename change

Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...

GHSA-946C-F9W6-2C25 Download route allows filename change in eZpublish kernel

Impact The route used for file downloads allows specifying the name of the downloaded file. This is an unintended side effect of the implementation, and means one could construct download URLs with filenames that have no relation to the actual file, which could lead to misunderstandings and...

CVE-2023-4768

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATEID/1613157927228/InvSWMetering.p...

Crlf injection

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATEID/1613157927228/InvSWMetering.p...

Crlf injection

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATEID/1613157927228/InvSWMetering.c...

Cross-site Scripting (XSS)

phpbb/phpbb is vulnerable to Cross-site Scripting XSS. The vulnerability exists because the main function in acpicons.php does not adequately escape the smilies URL and does not prevent the use of a .pak filename, allowing an attacker to inject and execute malicious JavaScript...

PT-2023-30555 · Zoho · Manageengine Desktop Central

Name of the Vulnerable Software and Affected Versions: ManageEngine Desktop Central version 9.1.0 Description: A CRLF injection vulnerability has been found in ManageEngine Desktop Central. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response...

curl: CVE-2023-46219: HSTS long file name clears contents

Vulnerability description not provided...

phpMyFAQ FileName parameter cross-site scripting vulnerability

phpMyFAQ is a multi-language, fully database-driven FAQ system. A cross-site scripting vulnerability exists in versions prior to phpMyFAQ 3.2.2, which stems from the lack of effective filtering and escaping of user-supplied data in the FileName parameter of the file attachment upload function, an...

SUSE CVE-2016-4446

The allowexecstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function...

CVE-2023-46574

An issue in TOTOLINK A3700R v.9.1.2u.616520211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function...

CVE-2023-46574

An issue in TOTOLINK A3700R v.9.1.2u.616520211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function...

CVE-2023-46574

An issue in TOTOLINK A3700R v.9.1.2u.616520211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function...

TOTOLINK A3700R 命令注入漏洞

The TOTOLINK A3700R is a wireless router from China's Gion Electronics TOTOLINK. A command execution vulnerability exists in the TOTOLINK A3700R v9.1.2u.616520211012, which can be exploited by an attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function...

CVE-2023-46574

An issue in TOTOLINK A3700R v.9.1.2u.616520211012 allows a remote attacker to execute arbitrary code via the FileName parameter of the UploadFirmwareFile function...