72 matches found
CVE-2024-45962
CVE-2024-45962 affects October CMS 3.6.30. An authenticated admin can upload a PDF containing malicious JavaScript; when accessed via the website this can lead to XSS or potential arbitrary code execution in the target. No fixed version is published in the provided documents. Remediation guidance...
CVE-2024-45962
October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting XSS attack or execute arbitrary code via a crafted JavaScript to the target...
CVE-2024-45960
Zenario CMS 9.7.61188 is affected. Authentication is required for the exploit: an admin can upload PDF files containing malicious code. If such a PDF is accessed via the site, it can trigger Cross-Site Scripting (XSS) in the user’s browser. The root cause is a lack of proper validation for upload...
CVE-2024-3277
CVE-2024-3277 affects the WordPress plugin “Yumpu ePaper publishing” (versions
CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...
CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...
PT-2024-24841 · WordPress · Yumpu Epaper Publishing Plugin
Name of the Vulnerable Software and Affected Versions: Yumpu ePaper publishing plugin for WordPress version 2.0.24 and earlier Description: The issue allows authenticated attackers with subscriber-level access and above to upload PDF files, publish them, and modify the API key due to a missing...
WordPress Yumpu ePaper publishing plugin <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability
Missing Authorization to PDF Upload, Publishing, and API Key Modification vulnerability discovered by Lucio Sá in WordPress Plugin Yumpu ePaper publishing versions = 2.0.24...
Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
Description The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level...
PT-2024-26563 · O2Oa · O2Oa
Name of the Vulnerable Software and Affected Versions: O2OA version 8.3.8 Description: The issue allows attackers to execute arbitrary code by uploading a crafted PDF file, exploiting an arbitrary file upload vulnerability. Recommendations: For O2OA version 8.3.8, consider restricting file upload...
PT-2024-10381 · Strapi · Strapi
Name of the Vulnerable Software and Affected Versions: Strapi affected versions not specified Description: The issue is related to a lack of protection measures on web pages, allowing a remote attacker to execute arbitrary JavaScript code by uploading a specially crafted PDF file. Recommendations...
PT-2024-21997 · Leantime · Leantime
Name of the Vulnerable Software and Affected Versions: Leantime version 3.0.6 Description: The issue allows attackers to execute arbitrary code via the upload of a crafted PDF file to the "files/browse" endpoint. This enables the execution of malicious scripts, potentially leading to unauthorized...
CVE-2024-2001
A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded...
PT-2024-18497 · Unknown · Cockpit Cms
Name of the Vulnerable Software and Affected Versions: Cockpit CMS version 2.7.0 Description: A Cross-Site Scripting issue in Cockpit CMS could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded...
CVE-2023-51252
PublicCMS 4.0 is vulnerable to Cross Site Scripting XSS. Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, an XSS popup window is realized through online viewing...
SUSE CVE-2009-1597
Mozilla Firefox executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as...
XSS via upload pdf file
Description Hi there, It's my pleasure to submit a report to you again to maintain the safety of the project.Most users can upload files in the module named 'Resources' .We can upload pdf files.But uploading malicious pdf files will cause xss vulnerability which will cause great harm to users of...
CVE-2022-39016
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload...
Design/Logic Flaw
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload...
PT-2022-24672 · Pdftron Systems +1 · Pdftron +1
Name of the Vulnerable Software and Affected Versions: M-Files Hubshare versions prior to 3.3.10.9 Description: The issue allows authenticated attackers to perform an account takeover via a crafted PDF upload, exploiting a Javascript injection in PDFtron. Recommendations: For versions prior to...