CVE-2024-6936

Form Tools 3.1.1 has a vulnerability in the Setting Handler (file /admin/settings/index.php?page=accounts) where manipulating the Page Theme parameter leads to code injection. The issue can be exploited remotely, and public exploit information exists. Documents do not provide an official patched ...

PT-2024-37978 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7.114 Description: A critical issue has been found in DedeCMS, affecting an unknown part of the file article template rand.php. This issue leads to code injection and can be initiated remotely. The exploit has been disclosed...

GHSA-X86X-QHF8-F37W willdurand/js-translation-bundle potential path traversal attack and remote code injection

A path traversal and a javascript code injection vulnerabilities were identified in willdurand/js-translation-bundle versions prior to 2.1.1...

willdurand/js-translation-bundle potential path traversal attack and remote code injection

A path traversal and a javascript code injection vulnerabilities were identified in willdurand/js-translation-bundle versions prior to 2.1.1...

CVE-2024-31847

An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting XSS vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization...

The vulnerability of the CMS system Netcat, related to the manipulation of inter-site requests, allows a hacker to inject PHP code.

The vulnerability of the CMS system Netcat is related to the manipulation of inter-site requests. Exploiting this vulnerability allows a malicious actor to inject PHP code remotely...

AutomationDirect C-MORE EA9 HMI

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION : Exploitable remotely/low attack complexity Vendor : AutomationDirect Equipment : C-MORE EA9 HMI Vulnerabilities : Path Traversal, Stack-Based Buffer Overflow, Plaintext Storage of a Password 2. RISK EVALUATION Successful exploitation of these...

CVE-2024-2016

A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2024-2497

A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiate...

EUVD-2024-27306

A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.85220230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be...

BIT-AIRFLOW-2020-11978

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler depending o...

BIT-MYBB-2021-43281

MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed o...

BIT-DRUPAL-2021-33829

A cross-site scripting XSS vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --! is mishandled...

CVE-2024-1705

A vulnerability was found in Shopwind up to 4.6. It has been rated as critical. This issue affects the function actionCreate of the file /public/install/controllers/DefaultController.php of the component Installation. The manipulation leads to code injection. The attack may be initiated remotely...

CVE-2024-1705

CVE-2024-1705 affects Shopwind up to version 4.6. The vulnerability is in the Installation component, specifically the actionCreate function of /public/install/controllers/DefaultController.php, allowing code injection. Impact is remote execution with high severity; exploitation is reported as kn...

Cross site scripting

Reflected cross-site scripting XSS vulnerability in the instance settings for Accounts in Liferay Portal 7.4.3.44 through 7.4.3.97, and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44 through 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected in...

CVE-2023-40191

CVE-2023-40191 – Reflected XSS in Liferay Portal/DXP: The vulnerability affects Liferay Portal 7.4.3.44–7.4.3.97 and Liferay DXP 2023.Q3 before patch 6, and 7.4 update 44–92. It allows remote attackers to inject arbitrary web script or HTML via the Blocked Email Domains field in Accounts > ins...

CVE-2024-25601

CVE-2024-25601 affects the Expando module geolocation custom fields in Liferay Portal 7.2.0–7.4.2 and older unsupported versions, and Liferay DXP 7.3 before SP3, 7.2 before FP17. It is a stored XSS vulnerability allowing remote authenticated users to inject arbitrary web script or HTML via the na...

CVE-2024-25602

Summary (CVE-2024-25602) Stored cross-site scripting (XSS) vulnerability in the Users Admin module’s edit user page of Liferay Portal (7.2.0–7.4.2) and Liferay DXP (7.3 before SP3, 7.2 before fix pack 17; older unsupported versions). An authenticated remote user can inject arbitrary web script or...

PT-2024-18238 · Shopwind · Shopwind

Name of the Vulnerable Software and Affected Versions: Shopwind versions up to 4.6 Description: A critical issue affects the actionCreate function of the /public/install/controllers/DefaultController.php file in the Installation component, leading to code injection. The attack can be initiated...