PT-2023-8609 · Unknown · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 14.10.3 XWiki Platform versions prior to 15.0-rc-1 Description: The issue allows a user without script or programming rights to edit a user profile or any other document with the wiki editor and add groovy...

CVE-2023-29201

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

CVE-2023-29201 org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

CVE-2023-29201 org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

SUSE CVE-2009-3236

The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with...

Yii2 代码注入漏洞

Yii is a component-based, high-performance PHP framework for developing large-scale web applications developed by the YII team. yii2 is a fast, secure and professional PHP framework. A security vulnerability exists in Yii2 Gii versions prior to 2.2.2, which allows remote attackers to execute...

CVE-2023-22952

In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation...

ChurchInfo 代码问题漏洞

ChurchInfo is a free church database program from the ChurchInfo team that helps churches track members, families, groups, pledges, and payments. An arbitrary file upload vulnerability exists in ChurchInfo versions 1.2.13 and later, 1.3.0 and earlier. The vulnerability stems from the application'...

CVE-2022-41379

An arbitrary file upload vulnerability in the component /leavesystem/classes/Users.php?f=save of Online Leave Management System v1.0 allows attackers to execute arbitrary code via a crafted PHP file...

The vulnerability of the TeamPass password manager, related to security configuration errors, allows a hacker to execute arbitrary PHP code.

The vulnerability of the TeamPass password manager is related to security configuration errors. Exploiting this vulnerability allows a malicious actor, operating remotely, to execute arbitrary PHP code...

DSK DSKNet 代码问题漏洞

DSK DSKNet is a data interaction program from DSK Japan. Their time and attendance data can be accessed interactively from any site connected to your network. DSK DSKNet 2.16.136.0 and 2.17.136.5 A security vulnerability exists in Touch settings that allow PDF uploads with PHP content and...

CVE-2022-2268

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE...

CMSimple 代码问题漏洞

CMSimpleXH is a PHP-based content management system derived from the original CMSimple project and belongs to its offshoot version. CMSimpleXH suffers from a code execution vulnerability that can be exploited by an attacker to upload a PHP load using the File parameter to gain privileges from a...

CVE-2022-27061

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the Post Image function under the Admin panel. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file...

WordPress和WordPress plugin 路径遍历漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress JobMonster Theme plugin has an informatio...

MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. The specific flaw exists within the Control Panel. The issue results from the lack of proper validation of a user-supplied string befor...

Elite Graphix Elite Cms 安全漏洞

Elite Graphix Elite Cms is a web content management written in Php language by Elite Graphix India. A platform for storing and organizing information and documents, Elite Graphix Elite Cms v1.0 suffers from a file upload vulnerability that stems from the lack of valid validation of uploaded files...

DEBIAN-CVE-2021-29454

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the...

UBUNTU-CVE-2021-29454

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the...

The vulnerability of the implementation of the Logging::update_logging() method in the CMS system of Concrete5 allows a perpetrator to execute arbitrary PHP code.

The vulnerability of the Logging::updatelogging method implementation in the Concrete5 CMS system is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability could allow an attacker, operating remotely, to execute arbitrary PHP code...