14 matches found
Prototype Pollution
Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution in the protoAccessControl function. An attacker can gain unauthorized access to prototype methods by referencing lookupSetter in templates through...
Stored Cross-Site Scripting (XSS)
getgrav/grav is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization in the dataheadertemplate parameter at the /admin/pages/page endpoint, which allows an attacker to inject and store malicious scripts that execute when the content is rendere...
EUVD-2025-6977
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2017-1000031
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SQL injection vulnerability in graphtemplatesinputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graphtemplateinputid a...
Dell PowerProtect Data Manager Reporting 安全漏洞
Dell PowerProtect Data Manager Reporting is a data protection management software. An information disclosure vulnerability exists in Dell PowerProtect Data Manager Reporting, which arises from the program's failure to properly handle template input and can be exploited by an attacker to obtain...
CVE-2024-6986
A Cross-site Scripting XSS vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'fulltemplate' variable directly as HTML. This allows an attacker to execute maliciou...
USN-7158-1 smarty3 vulnerabilities
It was discovered that Smarty incorrectly handled query parameters in requests. An attacker could possibly use this issue to inject arbitrary Javascript code, resulting in denial of service or potential execution of arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubun...
@blakeembrey/template vulnerable to code injection when attacker controls template input
Impact It is possible to inject and run code within the template if the attacker has access to write the template name. js const template = require'@blakeembrey/template'; template"Hello name!", "exploit && = console.log'success'; && function pwned"; Patches Upgrade to 1.2.0. Workarounds Don't pa...
SUSE CVE-2017-1000031
SQL injection vulnerability in graphtemplatesinputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graphtemplateinputid and graphtemplateid parameters...
GHSA-FW2F-7F87-5R6C Improper Input Validation in access-policy
access-policy through 3.1.0 is vulnerable to Arbitrary Code Execution. User input provided to the template function is executed by the eval function resulting in code execution...
Cisco SD-WAN vMange Command Injection Vulnerability
Cisco SD-WAN vManage is a software from Cisco that provides software-defined networking capabilities. The software provides a way to virtualize the network. A command injection vulnerability exists in Cisco SD-WAN vMange. The vulnerability stems from the program not properly validating user input...
Arbitrary Code Execution
Overview access-policy is a package that encodes and decodes policy JSON files for use with web applications. Affected versions of this package are vulnerable to Arbitrary Code Execution. User input provided to the template function is executed by the eval function resulting in code execution. Po...
DEBIAN-CVE-2017-1000031
SQL injection vulnerability in graphtemplatesinputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graphtemplateinputid and graphtemplateid parameters...
SocialEngine多个SQL注入漏洞
BUGTRAQ ID: 30342 SocialEngine是基于PHP的社会网络平台,允许在网站上创建社会网络。 在客户端认证期间,include/classuser.php文件没有正确地验证对seuser cookie参数的输入,include/classadmin.php文件没有正确的验证对seadmin参数的输入,这允许远程攻击者执行SQL注入攻击,无需有效的管理员凭据便以管理权限登录;此外SocialEngine没有正确地验证对模板数据的输入便储存到了模板中,远程攻击者可以注入并执行恶意PHP代码,导致完全控制服务器。 Webligo Developments...