8067 matches found
MarketPress <= 3.2.6 - PHP Object Injection
The MarketPress plugin installs to a directory named wordpress-ecommerce versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin. Send an object to the site using the mpglobalcart cookie value and it will be...
WordPress MarketPress plugin <=3.2.6 - PHP Object Injection vulnerability
PHP Object Injection vulnerability found by Robert R in WordPress MarketPress plugin versions =3.2.6 . Solution Update the WordPress MarketPress plugin to the latest available version at least 3.2.7...
WordPress Shoppable Images Lite plugin <=1.0.0 - Cross-Site Request Forgery (CSRF)/PHP Object Injection Vulnerabilities
WordPress Shoppable Images Lite plugin Cross-Site Request Forgery CSRF/PHP Object Injection Vulnerabilities were found in the showadminnotices function. The value of $GET nonce variable is unserialized, which allows PHP object injection. Solution Update the plugin...
Kaltura PHP Object Injection Vulnerability
Kaltura is a suite of open source online video platforms from the US company Kaltura. A security vulnerability exists in the 'getUserzoneCookie' function in Kaltura versions prior to 13.2.0. A remote attacker can exploit this vulnerability with a specially crafted userzone cookie to bypass the...
CVE-2014-8684
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
Design/Logic Flaw
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
CVE-2014-8684
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
CVE-2014-8684
CVE-2014-8684 affects CodeIgniter before 3.0 and Kohana 3.2.3 and earlier, and 3.3.x through 3.3.2. The issue arises from using standard string comparison operators to compare cryptographic hashes, which enables remote attackers to spoof session cookies and conduct PHP object injection attacks. E...
CVE-2017-14143
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
CVE-2017-14143
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
CVE-2017-14141
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
Hardcoded credentials
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
Design/Logic Flaw
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
CVE-2017-14141
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
CVE-2017-14141
The wikidecode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object...
CVE-2017-14143
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzon...
CVE-2017-14143
CVE-2017-14143 affects Kaltura prior to 13.2.0. The getUserzoneCookie function uses a hardcoded cookie secret to sign cookies, allowing remote attackers to bypass the intended protection and perform PHP object injection, resulting in arbitrary PHP code execution via a crafted userzone cookie. Pub...
CVE-2017-14141
CVE-2017-14141 affects Kaltura Server prior to 13.2.0. A vulnerability in the wiki_decode Developer System Helper in the admin panel allows remote attackers to perform PHP object injection and execute arbitrary PHP code via a specially crafted serialized object. Impact: arbitrary code execution w...
WordPress Post Pay Counter plugin <= 2.730 - Authenticated PHP Object Injection Vulnerability
WordPress Post Pay Counter plugin Authenticated PHP Object Injection Vulnerability was fond in 2.730 version. WordPress Post Pay Counter Plugin should have made sure the user is intended to be able to import settings by checking if their user role is one permitted to access the page. Solution...
WordPress Media from FTP Plugin <= 9.79 - Authenticated PHP Object Injection Vulnerability
WordPress Media from FTP Plugin Authenticated PHP Object Injection Vulnerability was found in 9.79 version. WordPress Media from FTP Plugin makes the function mediafromftpmedialibraryimportupdatecallback accessible through WordPress’ AJAX functionality to those logged in to WordPress in the file...