Command Injection

Overview indico is a conference lifecycle management and meeting/lecture scheduling tool. Affected versions of this package are vulnerable to Command Injection due to insufficient sanitization of LaTeX syntax. An attacker can execute arbitrary code or access local files by submitting...

CVE-2026-33046 Indico discloses local files resulting in Remote Code Execution through LaTeX injection

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaT...

Indico discloses local files resulting in Remote Code Execution through LaTeX injection

!NOTE If server-side LaTeX rendering is not in use ie XELATEXPATH was not set in indico.conf, this vulnerability does not apply. Impact Due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX...

CVE-2024-41804

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially...

WordPress Download Manager plugin <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion vulnerability

Authenticated Author+ Arbitrary File Deletion vulnerability discovered by WordFence in WordPress Plugin Download Manager versions = 3.3.12...

WordPress plugin Download Manager 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2025-31876

Missing Authorization vulnerability in gunnarpayday Payday payday allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payday: from n/a through = 3.3.18...

CVE-2022-0889

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the /includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web script...

WordPress plugin Order Tracking 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2024-30510 · Unknown · Etoile Web Design Order Tracking

Name of the Vulnerable Software and Affected Versions: Etoile Web Design Order Tracking versions n/a through 3.3.12 Description: The issue is related to a Missing Authorization vulnerability, which allows accessing functionality not properly constrained by ACLs. Recommendations: For versions n/a...

CVE-2024-41944 Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the report/data/proofofplayReport API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the...

CVE-2024-41802

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to t...

CVE-2024-41803

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for...

CVE-2024-41804

CVE-2024-41804 affects Xibo CMS (DataSet Column Formulas API). An SQL injection vulnerability is exploitable by an authenticated user via the formula parameter, enabling access to/ modification of arbitrary data in the Xibo database. Remediation: upgrade to Xibo versions 3.3.12 or 4.0.14, which f...

CVE-2024-41804 Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially...

CVE-2024-41802

Xibo CMS has a SQL injection vulnerability in the API routes that filter DataSets. An authenticated user can inject crafted values via the Import JSON and Import Layout DataSet APIs to read/modify data in the Xibo database. Affected software: Xibo CMS; vulnerability arises in DataSet filtering co...

CVE-2024-41802 Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to t...

CVE-2024-41803 Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for...

CVE-2024-41803 Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter

Xibo is a content management system CMS. An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for...

CVE-2024-41803

Xibo CMS contains an SQL injection in the API routes that filter DataSets. The vulnerability, exploitable by an authenticated user, can allow extraction of arbitrary data from Xibo’s database. Affected versions are before 3.3.12 and before 4.0.14; remediation is to upgrade to 3.3.12 or 4.0.14, re...