277 matches found
CVE-2024-33527
A Stored Cross-site Scripting XSS vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload...
CVE-2024-33526
A Stored Cross-site Scripting XSS vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload...
CVE-2024-33528
CVE-2024-33528 is a Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7.x before 7.30 and 8.x before 8.11. Remote authenticated attackers with tutor privileges can inject arbitrary web script or HTML via XML file uploads. Root cause relates to how XML uploads are processed (stored XSS). Im...
CVE-2024-3871
CVE-2024-3871 affects Delta Electronics DVW-W02W2-E2 web administration interface, with versions up to 2.5.2. The issue stems from command injections and stack overflows in the web UI, enabling remote attackers to achieve remote code execution with elevated privileges. The NVD entry states this c...
CVE-2024-29514
File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file...
BIT-SUITECRM-2020-14208
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting XSS in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML...
CVE-2023-31505
An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file...
CVE-2023-48201
Cross Site Scripting XSS vulnerability in Sunlight CMS v.8.0.1, allows remote authenticated attackers to execute arbitrary code and escalate privileges via a crafted script to the Content text editor component...
CVE-2023-36654
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys associated with a Linux root user by injecting paths inside REST API endpoint parameters...
CVE-2023-40158
Hidden functionality vulnerability in the CBC products allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter its settings. As for the affected products/versions, see the detailed information provided by the vendor. Note that NR4H, NR8H, NR16H series and...
Synology Router Manager (SRM) 1.1.x DoS Vulnerability (Synology-SA-17:49)
Synology Router Manager SRM is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
Command injection
OS command injection vulnerability in the mail setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows remote authenticated attackers to execute an arbitrary OS command...
CVE-2023-27521
OS command injection vulnerability in the mail setting page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows remote authenticated attackers to execute an arbitrary OS command...
CVE-2021-28998
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file...
PT-2023-19054 · Unknown · Conprosys M2M Gateway +2
Name of the Vulnerable Software and Affected Versions: CONPROSYS M2M Gateway versions 3.7.10 and earlier CONPROSYS M2M Controller Integrated Type versions 3.7.6 and earlier CONPROSYS M2M Controller Configurable Type versions 3.8.8 and earlier Description: An improper access control issue allows a...
CVE-2021-36538
Cross Site Scripting XSS vulnerability in Gurock TestRail before 7.1.2 allows remote authenticated attackers to run arbitrary code via the reference field in milestones or description fields in reports...
CVE-2022-46889
A persistent cross-site scripting XSS vulnerability in NexusPHP before 1.7.33 allows remote authenticated attackers to permanently inject arbitrary web script or HTML via the title parameter used in /subtitles.php...
CVE-2022-43660
Improper neutralization of Server-Side Includes SSW within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an arbitrary Perl script and/or an arbitrary OS command. Affected products/versions are as follows: Movable...
File Upload Filter Bypass
Description A sanitization filter bypass in plupload.php in MicroweberCMS v1.3.1 allows remote authenticated attackers to upload files outside the restricted location. The target $path for the image is being sanitized here: php $pathrestirct = userfilespath; if isset$REQUEST'path' and...
Authenticated SQL Injection in OpenSIS Classic v9.0 and earlier
Description SQL injection in OpenSIS Classic v9.0 and earlier allows remote authenticated attackers to execute SQL code via the id parameter in MassScheduleModal.php leading to full database information disclosure. Version At the time of reporting, the most up-to-date version of the master branch...