The vulnerability of the Nagios Fusion software for visualizing IT infrastructure’s operational status lies in its insecure management of privileges, allowing attackers to escalate their privileges.

The vulnerability of the Nagios Fusion software for visualizing IT infrastructure’s operational status is related to insecure management of privileges. Exploiting this vulnerability could allow a malicious actor to increase their privileges by installing a malicious component containing PHP code...

CVE-2021-32924

Invision Community aka IPS Community Suite before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\builder::previewBlock method interacts unsafely with the IPS\Theme::runProcessFunction method...

QibosoftX 代码注入漏洞

A code injection vulnerability exists in QibosoftX1 v1.0, which can be exploited by attackers to execute arbitrary PHP code via the client-side upgrade edition.php and upgrade.php...

PT-2021-6745 · Smarty +2 · Smarty +2

Name of the Vulnerable Software and Affected Versions: Smarty versions prior to 3.1.42 and 4.0.2 Description: The issue is related to the incorrect handling of code generation in the Smarty template engine for PHP. This allows template authors to run arbitrary PHP code by crafting a malicious mat...

CVE-2021-26753

NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data...

CVE-2020-26295

OpenMage (Magento CE fork) is affected in versions before 19.4.10 and 20.0.5. An administrator with permissions to import/export data and edit CMS pages could inject an executable file on the server via layout XML. The issue is fixed in 19.4.10 and 20.0.5; upgrade to these versions or later to re...

Drupal Remote Code Execution Vulnerability (CNVD-2020-64563)

Drupal is an open source content management system developed by the Drupal community using the PHP language. A remote code execution vulnerability exists in Drupal. The vulnerability is due to Drupal core failing to properly handle certain filenames in uploaded files, which can be exploited by an...

UBUNTU-CVE-2020-18185

class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment...

UBUNTU-CVE-2020-18184

In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametresedittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template...

Figma: Race condition while removing the love react in community files.

The researcher found that the server-side code for handling the "unlike" function for community pages was vulnerable to a race condition. While logically one person is only allowed to remove the one like they had, a hundred requests at the same time could allow one person to do a hundred unlikes...

Typesetter CMS Cross-Site Scripting Vulnerability

Typesetter is a content management system CMS. A cross-site scripting vulnerability exists in Typesetter CMS versions 5.x through 5.1, which originates from allowing administrators to upload and execute arbitrary PHP code via a ZIP archive of . PHP file to upload and execute arbitrary PHP code. A...

CVE-2020-16857

A remote code execution vulnerability exists in Microsoft Dynamics 365 for Finance and Operations on-premises version 10.0.11. An attacker who successfully exploited this vulnerability could gain remote code execution via server-side script execution on the victim server. An authenticated attacke...

Code injection

Code42 environments with on-premises server versions 7.0.4 and earlier allow for possible remote code execution. When an administrator creates a local non-SSO user via a Code42-generated email, the administrator has the option to modify content for the email invitation. If the administrator enter...

Zenphoto Code Injection Vulnerability

Zenphoto is a content management system CMS. The Zenphoto code injection vulnerability can be exploited by an attacker to execute arbitrary PHP code...

Tecrail Responsive FileManager Input Validation Error Vulnerability

Tecrail Responsive FileManager is an open source file manager written in PHP by Tecrail Italy. The product supports the uploading and management of videos, images or other files. A security vulnerability exists in the ajaxcalls.php file in Tecrail Responsive FileManager 9.14.0 and earlier version...

PT-2020-3996 · Unknown · Responsive Filemanager

Name of the Vulnerable Software and Affected Versions: Responsive Filemanager versions through 9.14.0 Description: An issue was discovered in the ajax calls.php file, specifically in the save img action, where the name parameter lacks validation of the sent extension. This allows for the executio...

SugarCRM pmse_Project Module SQL Injection Vulnerability

SugarCRM is a set of open source customer relationship management software . A SQL injection vulnerability exists in the pmseProject module of SugarCRM. The vulnerability stems from a lack of input validation. An authenticated user with regular user privileges can exploit this vulnerability to...

SugarCRM pmse_Inbox Module SQL Injection Vulnerability

SugarCRM is a set of open source customer relationship management software . A SQL injection vulnerability exists in the pmseInbox module of SugarCRM. The vulnerability stems from a lack of input validation. An attacker can exploit this vulnerability to inject custom PHP code...

China Chopper still active 9 years later

By Paul Rascagneres and Vanja Svajcer. Introduction Threats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery. China Chopper is a web shell that allows...

GetSimple CMS Remote Code Execution Vulnerability

GetSimple CMS is a content management system CMS written in PHP. A remote code execution vulnerability exists in GetSimple CMS version 3.3.15 and earlier. A remote attacker can exploit this vulnerability to execute arbitrary PHP code on an affected system...