240 matches found
PT-2024-36387 · WordPress · The Plus Addons For Elementor Page Builder
Name of the Vulnerable Software and Affected Versions: Plus Addons for Elementor Page Builder plugin for WordPress versions up to, and including, 5.5.4 Description: The issue allows authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the...
CVE-2024-4551
The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and...
Aimeos Security Breach
Aimeos is an open source e-commerce framework for online stores from Aimeos Open Source. A security vulnerability exists in versions of Aimeos prior to 2024.04.5, which originates from a user with administrative privileges being able to upload files that look like images but contain PHP code that...
CVE-2024-3500
The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...
Secret-Coder-PHP-Project Security Vulnerability
Secret-Coder-PHP-Project is a PHP-based project. A security vulnerability exists in version 1.0 of Secret-Coder-PHP-Project that stems from the inclusion of sensitive information in the code...
CVE-2023-47253
Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter...
CVE-2023-1719
Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to 1 enumerate attachments on the server and 2 execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim ha...
The vulnerability of the WPanel CMS system, related to the lack of restrictions on file uploads, allows a hacker to execute arbitrary code.
The vulnerability of the WPanel CMS system is related to the lack of restrictions on the download of files. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by downloading arbitrary PHP files remotely...
CVE-2023-46815
An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with...
CVE-2023-37908
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute...
Cross site scripting
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute...
CVE-2023-37908 org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute...
Sangfor Next-Gen Application Firewall Security Vulnerabilities
Sangfor Next-Gen Application Firewall Sangfor NGAF is an application firewall from China-based Sangfor. A security vulnerability exists in Sangfor Next-Gen Application Firewall NGAF version 8.0.17, which originates from a source code disclosure issue. The vulnerability can be exploited to obtain...
CVE-2023-43835
Super Store Finder 3.7 and below is vulnerable to authenticated Arbitrary PHP Code Injection that could lead to Remote Code Execution when settings overwrite config.inc.php content...
CVE-2023-37629
Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to "add-pig.php."...
PT-2023-25764 · Travianz · Travianz
Name of the Vulnerable Software and Affected Versions: TravianZ versions 8.3.3 through 8.3.4 Description: The issue allows remote attackers to execute PHP code through PHP injection in the config editor on the admin page. Recommendations: For versions 8.3.3 and 8.3.4, consider disabling the confi...
CVE-2023-35808
An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input...
SugarCRM Enterprise 安全漏洞
SugarCRM Enterprise is an enterprise version of an open source Customer Relationship Management CRM system from SugarCRM USA. The system supports differentiated marketing for different customer needs, managing and distributing sales leads, and enabling information sharing and tracking of sales...
Cross site scripting
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting...
PT-2023-8608 · Xwiki · Xwiki
Name of the Vulnerable Software and Affected Versions: XWiki versions 4.2-milestone-1 through 14.10 Description: The issue concerns the "restricted" mode of the HTML cleaner in XWiki, which allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. This...