NukeViet Cross-Site Request Forgery (CSRF)

clearsystem.php in NukeViet 4.4 allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI...

GHSA-J4FQ-3FM7-WH5V Magento arbitrary PHP code execution via the productData parameter

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition CE before 1.9.2.1 and Enterprise Edition EE before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData...

Magento arbitrary PHP code execution via the productData parameter

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition CE before 1.9.2.1 and Enterprise Edition EE before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via the productData...

GHSA-G32Q-4FHF-CQ72 ImpressCMS XSS

ImpressCMS 1.3.10 has XSS via the PATHINFO to htdocs/install/index.php, htdocs/install/pagelangselect.php, or htdocs/install/pagemodcheck.php...

Dolibarr ERP and CRM SQLi

Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php searchsupervisor and searchstatut parameters...

GHSA-V3M8-7H3P-6J5M Dolibarr ERP and CRM SQLi

Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php searchsupervisor and searchstatut parameters...

Cross site scripting

atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter...

CVE-2022-30776

Affected software: Atmail 6.5.0. Vulnerability: Cross-site scripting (XSS) via the index.php/admin/index/ 'error' parameter. Root cause: Improper handling/input validation of the error parameter leads to script execution in the victim’s browser. Impact (as described): attackers could execute mali...

GHSA-726G-CGCQ-4XW8 Dolibarr Cross-Site Scripting (XSS) vulnerability

Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting XSS vulnerabilities in versions before 5.0.4: index.php leftmenu parameter, core/ajax/box.php PATHINFO, product/stats/card.php type parameter, holiday/list.php monthcreate, monthstart, and monthend parameters, and don/card.ph...

GHSA-XVHR-7Q4Q-QJGP thinkphp SQL Injection via the index.php s parameter

thinkphp 3.1.3 has SQL Injection via the index.php s parameter...

thinkphp SQL Injection via the index.php s parameter

thinkphp 3.1.3 has SQL Injection via the index.php s parameter...

GHSA-C3VX-V4X8-X894 Moodle does not check for the moodle/course:viewhiddencourses capability

enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL...

Moodle does not check for the moodle/course:viewhiddencourses capability

enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL...

GHSA-43R4-VM25-QM78 Moodle has multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module

Multiple cross-site request forgery CSRF vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within 1...

Incorrect Permission Assignment for Critical Resource in ShopXO

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php...

CVE-2022-28056

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php...

CVE-2022-28056

ShopXO v2.2.5 and below was discovered to contain a system re-install vulnerability via the Add function in app/install/controller/Index.php...

CVE-2022-28918

GreenCMS v2.3.0603 was discovered to contain an arbitrary file deletion vulnerability via /index.php?m=admin&c=custom&a=plugindelhandle&pluginname=...

CVE-2022-28918

GreenCMS v2.3.0603 is affected by an arbitrary file deletion vulnerability exploitable over the network via /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name=. The CVE entry indicates this allows deletion of arbitrary files, with CVSSv3.1 base score 8.1 (HIGH) and a network attack vector;...

CVE-2022-28522

ZCMS v20170206 contains a stored XSS vulnerability in index.php?m=home&c=message&a=add. The root cause is a stored cross-site scripting flaw in the message add endpoint, allowing injection that can affect other users. According to the provided sources, the impact is C=L/I=L (partial integrity imp...