CVE-2023-24737

PMB v7.4.6 was discovered to contain a reflected cross-site scripting XSS vulnerability via the query parameter at /admin/convert/exportz3950.php...

CVE-2023-24731

Simple Customer Relationship Management System v1.0 as discovered to contain a SQL injection vulnerability via the query parameter in the user profile update function...

CVE-2023-23957

An authenticated user can see and modify the value for ‘next’ query parameter in Symantec Identity Portal 14.4...

CVE-2023-0421

The Cloud Manager WordPress plugin through 1.0 does not sanitise and escape the query param ricerca before outputting it in an admin panel, allowing unauthenticated attackers to trick a logged in admin to trigger a XSS payload by clicking a link...

CVE-2022-45049

A reflected XSS vulnerability has been found in Axiell Iguana CMS, allowing an attacker to execute code in a victim's browser. The url parameter on the novelist.php endpoint does not properly neutralise user input, resulting in the vulnerability...

CVE-2022-3573

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute...

CVE-2020-19625

Remote Code Execution Vulnerability in tests/support/stores/testgridfilter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter...

CVE-2016-11085

php/qmnoptionsquestionstab.php in the quiz-master-next plugin before 4.7.9 for WordPress allows CSRF, with resultant stored XSS, via the questionname parameter because js/adminquestion.js mishandles parsing inside of a SCRIPT element...

CVE-2019-11427

An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter...

CVE-2014-4036

Cross-site scripting XSS vulnerability in modules/system/admin.php in ImpressCMS 1.3.6.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a listimg action...

CVE-2018-10704

yidashi yii2cmf 2.0 has XSS via the /search q parameter...

CVE-2010-4966

Cross-site scripting XSS vulnerability in default.asp in ATCOM Netvolution allows remote attackers to inject arbitrary web script or HTML via the query parameter in a Search action...

CVE-2025-46337 SQL injection in ADOdb PostgreSQL driver pg_insert_id() method

ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. Prior to version 5.22.9, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and...

SQL injection in ADOdb PostgreSQL driver pg_insert_id() method

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pginsertid with user-supplied data. Note that the indicated Severity corresponds to a worst-case usage scenario. Impact PostgreSQL...

SQL injection in ADOdb PostgreSQL driver pg_insert_id() method

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL database and calls pginsertid with user-supplied data. Note that the indicated Severity corresponds to a worst-case usage scenario...

Apereo CAS 安全漏洞

Apereo CAS is a web-based enterprise multilingual single sign-on solution from Apereo open source. A security vulnerability exists in Apereo CAS version 5.2.6, which stems from the file cas-5.2.6webapp-mgmtcas-management-webapp-...

BIT-RAILS-2024-41128 Action Dispatch has possible ReDoS vulnerability in query parameter filtering

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters...

CVE-2025-31125 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. This vulnerability is fixed in 6.2.4, 6.1.3,...

CVE-2025-30352 Directus `search` query parameter allows enumeration of non permitted fields

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the...

PT-2025-9105 · Soteshop · Soteshop

Name of the Vulnerable Software and Affected Versions: Soteshop versions prior to 8.3.4 Description: A Cross-Site Scripting XSS issue exists, allowing remote attackers to execute arbitrary code via the query parameter in "/app-google-custom-search/searchResults". This can lead to the theft of...