125 matches found
Cross site scripting
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
CVE-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
EspoCRM 跨站脚本漏洞
EspoCRM is an open source web-based customer relationship management CRM system. The system provides features such as sales automation, community and customer support. A security vulnerability exists in EspoCRM version 7.1.8, which stems from an import feature that contains cross-site scripting...
PT-2022-24595 · Espocrm · Espocrm
Name of the Vulnerable Software and Affected Versions: EspoCRM version 7.1.8 Description: The issue allows remote users to run malicious JavaScript in a victim's browser via sending a crafted CSV file containing malicious JavaScript to an authenticated user. Any authenticated user importing the...
CVE-2022-2406
Mattermost CVE-2022-2406 concerns the legacy Slack import feature (v6.7.0 and earlier). The root cause is failure to properly limit imported file sizes, allowing an authenticated attacker to crash the server by uploading large files via the Slack import REST API. Impact is a DoS affecting availab...
CVE-2022-2406 Malicious imports can lead to Denial of Service
The legacy Slack import feature in Mattermost version 6.7.0 and earlier fails to properly limit the sizes of imported files, which allows an authenticated attacker to crash the server by importing large files via the Slack import REST API...
PT-2022-13973 · WordPress · Html2Wp
Name of the Vulnerable Software and Affected Versions: HTML2WP WordPress plugin versions prior to 1.1 Description: The issue concerns a lack of authorization and CSRF checks when importing files, along with a failure to validate these files. As a result, unauthenticated attackers can upload...
PT-2022-5982 · Atlassian +1 · Jira Service Management Server +2
Name of the Vulnerable Software and Affected Versions: Atlassian Jira Service Management Server and Data Center versions prior to 4.13.20 Atlassian Jira Service Management Server and Data Center versions 4.14.0 through 4.20.8 Atlassian Jira Service Management Server and Data Center versions 4.21....
GHSA-WMH7-782F-XFW5 Gravity Forms stored Cross-Site Scripting (XSS) vulnerability
A stored Cross-Site Scripting XSS vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role Administrator, Editor, etc...
GHSA-6VC8-3XF2-QRXX Magento 2 Community Edition RCE Vulnerability
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file...
Magento 2 Community Edition RCE Vulnerability
In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file...
GHSA-C958-4J9X-Q7W4 phpMyAdmin Cross-site Scripting (XSS) in the import dialog
An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature...
phpMyAdmin Cross-site Scripting (XSS) in the import dialog
An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature...
CVE-2022-0134
The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack...
Atlassian Jira 安全漏洞
Atlassian Jira Service is the server version of an IT service desk and request tracking system from Atlassian Australia. An information disclosure vulnerability exists in Atlassian Jira Service Management Server, which stems from a broken access control in the Insight import source feature, which...
Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting
The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues function submitRequest var xhr = new XMLHttpRequest...
PT-2022-10090 · Unknown · October Cms
Name of the Vulnerable Software and Affected Versions: October CMS versions prior to 1.0.473 and 1.1.6 Description: October CMS is a self-hosted content management system CMS platform based on the Laravel PHP Framework. An attacker with access to the backend can execute PHP code by using the them...
CVE-2021-28023
Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative paths...
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
The Import feature of the plugin /wp-admin/tools.php?page=rsvpmakerexportscreen takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack. PoC Go to the...
RSVPMaker < 8.7.3 - Authenticated (admin+) SSRF
The Import feature of the plugin /wp-admin/tools.php?page=rsvpmakerexportscreen takes an URL input and calls curl on it, without first validating it to ensure it's a remote one. As a result, a high privilege user could use that feature to scan the internal network via a SSRF attack. Go to the...