109 matches found
CVE-2023-30791
Plane version 0.7.1-dev is affected: an attacker can change a user’s avatar, enabling upload of files with an HTML extension that are interpreted as HTML and JavaScript. This is described across multiple sources as an insecure avatar-upload path leading to HTML/JS content. Remediation guidance in...
PT-2023-22984 · Plane · Plane
Name of the Vulnerable Software and Affected Versions: Plane version 0.7.1-dev Description: The issue allows an attacker to change the avatar of their profile, enabling the upload of files with HTML extension that can interpret both HTML and JavaScript. Recommendations: For Plane version 0.7.1-de...
Plane 代码问题漏洞
Plane is an open source, self-hosted project planning tool from Plane Open Source. A security vulnerability exists in Plane version 0.7.1-dev, which stems from a vulnerability that allows an attacker to change the avatar of their profile, thereby allowing the upload of files with HTML extensions...
Cross site scripting
Cross Site Scripting XSS vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file...
CVE-2023-27082
Cross Site Scripting XSS vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file...
CVE-2023-34855
A Cross Site Scripting XSS vulnerability in Youxun Electronic Equipment Shanghai Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi...
Cross site scripting
A Cross Site Scripting XSS vulnerability in Youxun Electronic Equipment Shanghai Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi...
CVE-2023-34855
A Cross Site Scripting XSS vulnerability in Youxun Electronic Equipment Shanghai Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi...
Cross site scripting
A Cross Site Scripting XSS vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /authpic.cgi...
CVE-2023-34856
A Cross Site Scripting XSS vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /authpic.cgi...
CVE-2023-34856
A Cross Site Scripting XSS vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /authpic.cgi...
PT-2023-24000 · Pydio · Pydio Cells
Name of the Vulnerable Software and Affected Versions: Pydio Cells versions 4.1.2 and earlier Description: The issue allows for cross-site scripting XSS due to the exposure of secrets used to sign presigned URLs for file downloads. These secrets are hardcoded and accessible through the web...
PT-2023-3552 · D Link · D-Link Di-7500G-Ci
Name of the Vulnerable Software and Affected Versions: D-Link DI-7500G-CI version 19.05.29A Description: A Cross Site Scripting XSS issue allows attackers to execute arbitrary code by uploading a crafted HTML file to the "interface /auth pic.cgi". The vulnerability is related to the lack of...
CVE-2023-32689 Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server vi...
Parse Server 代码问题漏洞
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 5.4.4 and 6.0.0 through 6.1.1, which stems from a malicious user being able to upload HTML files to Parse Server via its public...
Cross site request forgery (csrf)
A Cross-Site Request Forgery CSRF in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function...
CVE-2023-31708
A Cross-Site Request Forgery CSRF in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function...
CVE-2023-31708
A Cross-Site Request Forgery CSRF in EyouCMS v1.6.2 allows attackers to execute arbitrary commands via a supplying a crafted HTML file to the Upload software format function...
CVE-2022-45144
Algoo Tracim before 4.4.2 allows XSS via HTML file upload...
Unrestricted file upload
Algoo Tracim before 4.4.2 allows XSS via HTML file upload...