SUSE CVE-2009-3236

The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with...

Yii2 代码注入漏洞

Yii is a component-based, high-performance PHP framework for developing large-scale web applications developed by the YII team. yii2 is a fast, secure and professional PHP framework. A security vulnerability exists in Yii2 Gii versions prior to 2.2.2, which allows remote attackers to execute...

CVE-2023-22952

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation...

ChurchInfo 代码问题漏洞

ChurchInfo is a free church database program from the ChurchInfo team that helps churches track members, families, groups, pledges, and payments. An arbitrary file upload vulnerability exists in ChurchInfo versions 1.2.13 and later, 1.3.0 and earlier. The vulnerability stems from the application'...

CVE-2022-41379

An arbitrary file upload vulnerability in the component /leavesystem/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file...

The vulnerability of the TeamPass password manager, related to security configuration errors, allows a hacker to execute arbitrary PHP code.

The vulnerability of the TeamPass password manager is related to security configuration errors. Exploiting this vulnerability allows a malicious actor, operating remotely, to execute arbitrary PHP code...

DSK DSKNet 代码问题漏洞

DSK DSKNet is a data interaction program from DSK Japan. Their time and attendance data can be accessed interactively from any site connected to your network. DSK DSKNet 2.16.136.0 and 2.17.136.5 A security vulnerability exists in Touch settings that allow PDF uploads with PHP content and...

CVE-2022-2268

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE...

CMSimple 代码问题漏洞

CMSimpleXH is a PHP-based content management system derived from the original CMSimple project and belongs to its offshoot version. CMSimpleXH suffers from a code execution vulnerability that can be exploited by an attacker to upload a PHP load using the File parameter to gain privileges from a...

CVE-2022-27061

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file...

WordPress和WordPress plugin 路径遍历漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress JobMonster Theme plugin has an informatio...

MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. The specific flaw exists within the Control Panel. The issue results from the lack of proper validation of a user-supplied string befor...

Elite Graphix Elite Cms 安全漏洞

Elite Graphix Elite Cms is a web content management written in Php language by Elite Graphix India. A platform for storing and organizing information and documents, Elite Graphix Elite Cms v1.0 suffers from a file upload vulnerability that stems from the lack of valid validation of uploaded files...

DEBIAN-CVE-2021-29454

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the...

UBUNTU-CVE-2021-29454

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the...

The vulnerability of the implementation of the Logging::update_logging() method in the CMS system of Concrete5 allows a perpetrator to execute arbitrary PHP code.

The vulnerability of the Logging::updatelogging method implementation in the Concrete5 CMS system is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability could allow an attacker, operating remotely, to execute arbitrary PHP code...

The vulnerability of the Nagios Fusion software for visualizing IT infrastructure’s operational status lies in its insecure management of privileges, allowing attackers to escalate their privileges.

The vulnerability of the Nagios Fusion software for visualizing IT infrastructure’s operational status is related to insecure management of privileges. Exploiting this vulnerability could allow a malicious actor to increase their privileges by installing a malicious component containing PHP code...

CVE-2021-32924

Invision Community aka IPS Community Suite before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\builder::previewBlock method interacts unsafely with the IPS\Theme::runProcessFunction method...

QibosoftX 代码注入漏洞

A code injection vulnerability exists in QibosoftX1 v1.0, which can be exploited by attackers to execute arbitrary PHP code via the client-side upgrade edition.php and upgrade.php...

PT-2021-6745 · Smarty +2 · Smarty +2

Name of the Vulnerable Software and Affected Versions: Smarty versions prior to 3.1.42 and 4.0.2 Description: The issue is related to the incorrect handling of code generation in the Smarty template engine for PHP. This allows template authors to run arbitrary PHP code by crafting a malicious mat...