WP Admin Menu Cross-Site Scripting Vulnerability

WordPress is a blogging platform developed using the PHP language, which supports the setting up of personal blog sites on servers with PHP and MySQL. It is widely used internationally and can be compatible with self-developed plug-ins. Powerful and widely used. Cross-site scripting vulnerability...

Amazon Linux AMI : doxygen (ALAS-2020-1412)

The version of doxygen installed on the remote host is prior to 1.8.5-4.14. It is, therefore, affected by a vulnerability as referenced in the ALAS-2020-1412 advisory. Insufficient sanitization of the query parameter in templates/html/searchopensearch.php could lead to reflected cross-site...

Low: doxygen

Issue Overview: Insufficient sanitization of the query parameter in templates/html/searchopensearch.php could lead to reflected cross-site scripting or iframe injection. CVE-2016-10245 Affected Packages: doxygen Issue Correction: Run yum update doxygen or yum update --advisory ALAS-2020-1412 to...

CVE-2020-14010

The Laborator Xenon theme 1.3 for WordPress allows Reflected XSS via the data/typeahead-generate.php q aka name parameter...

USN-4381-2 python-django vulnerabilities

USN-4381-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: Dan Palmer discovered that Django incorrectly validated memcached cache keys. A remote attacker could possibly use this issue to cause a denial of...

Fedora 31 : perl-Mojolicious (2020-aceb5a1d0a)

This package fixes a security issue that allowed for method query parameters to be used with GET requests. The fix is backported from Mojolicious v8.42. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has...

python: CRLF injection via the query part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the query string after a ? charact...

CVE-2020-2169

A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability...

CVE-2020-10408

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/edit-subscriber.php by adding a question mark ? followed by the payload...

CVE-2019-19134

The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of ...

CVE-2019-11292

Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...

Disclosure of files via logo_path query parameter

Require version that checks mime type...

Cloud Foundry UAA Release Information Disclosure Vulnerability

UAA Release and UAA are both certification and managed service endpoints for different versions of Cloud Foundry. An information disclosure vulnerability exists in Cloud Foundry UAA Release prior to 74.8.0. The vulnerability stems from the UAA Release logging all query parameters to the tomcat...

CVE-2013-6878

Cross-site scripting XSS vulnerability in the Mijosoft MijoSearch component 2.0.4 and earlier for Joomla! allows remote attackers to inject arbitrary web script or HTML via the query parameter to component/mijosearch/search...

python: CRLF injection via the query part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the query string after a ? charact...

fat_free_crm XSS via query parameter of tags_helper method

Fat Free CRM before 0.18.1 has XSS in the tagshelper in app/helpers/tagshelper.rb...

CVE-2019-13488

A cross-site scripting XSS vulnerability in static/js/trape.js in Trape through 2019-05-08 allows remote attackers to inject arbitrary web script or HTML via the country, query, or refer parameter to the /register URI, because the jQuery prepend method is used...

D-Link Central WiFi Manager (CWM-100) Arbitrary SQL Command Query Vulnerability

D-Link Central WiFi Manager CWM-100 is a Web-based wireless access point management tool. An arbitrary SQL command query vulnerability exists in D-Link Central WiFi Manager CWM-100 versions prior to 1.03R0100BETA6. The vulnerability stems from a failure to validate input. An attacker can exploit...

SUSE-SU-2019:1570-1 Security update for doxygen

This update for doxygen fixes the following issues: - CVE-2016-10245: XSS was possible via insufficient sanitization of the query parameter in templates/html/searchopensearch.php bsc1136364...

Django Cross-site Scripting in AdminURLFieldWidget

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...