279 matches found
CVE-2023-44383
Summary: CVE-2023-44383 affects October CMS versions affected by stored XSS when SVGs are uploaded to the Media Manager. What’s affected: October CMS (versions 3.0–3.5.x per sources) where the media manager stores SVG files. Root cause: Inadequate validation/ sanitization of uploaded SVG content ...
CVE-2023-45135 XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In org.xwiki.platform:xwiki-platform-web versions 7.2-milestone-2 until 14.10.12 and org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1, it is possible to...
The vulnerability of the web page rendering modules in WebKitGTK and WPE WebKit, related to memory access after it is freed, allows attackers to execute arbitrary code.
The vulnerability of the Web page rendering modules in WebKitGTK and WPE WebKit lies in the access to memory after it has been freed. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...
Oracle Essbase Multiple Vulnerabilities (October 2022 CPU)
The version of Oracle Essbase installed on the remote host is missing a security patch from the October 2022 Critical Patch Update CPU. It is, therefore, affected by multiple vulnerabilities, including: - Vulnerability in Oracle Essbase component: Build cURL. The supported version that is affecte...
The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, macOS, watchOS, Safari browser allows a perpetrator to execute arbitrary code.
The vulnerability of the web page rendering modules in WebKitGTK and WPE for iOS, iPadOS, tvOS, macOS, watchOS, and the Safari browser is related to the execution of operations outside of the buffer in memory. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...
The vulnerability of the web platform used for creating ZKBio Access lVS control and access management systems lies in the lack of measures taken to protect the SQL query structure, allowing attackers to execute arbitrary SQL code.
The vulnerability of the web platform used for creating ZKBio Access lVS access control and management systems is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary SQL code remotely...
The vulnerability in the web platform used for creating ZKBio Access lVS control and access management systems stems from errors in processing the relative path to the catalog. This allows a hacker to gain access to and read arbitrary files.
The vulnerability of the web platform used for creating ZKBio Access lVS access control and management systems is related to errors in processing the relative path to the catalog. Exploiting this vulnerability could allow a malicious actor to gain read access to arbitrary files...
ZKTeco BioAccess IVS SQL Injection Vulnerability
ZKTeco BioAccess IVS is a lite Web-based security platform from China-based ZKTeco. A SQL injection vulnerability exists in ZKTeco BioAccess IVS v3.3.1, which originates from allowing an authenticated user to inject arbitrary SQL commands and execute arbitrary SQL commands...
CVE-2023-37897
Grav SSTI CVE-2023-37897 affects Grav’s Twig engine due to a denial-list bypass introduced in the fix for a prior SSTI vulnerability. The isDangerousFunction() function returns false when a backslash is found, allowing payloads such as {{ ['id'] | map('\system') | join() }} to bypass the denylist...
CVE-2023-37897 Server-side Template Injection (SSTI) in grav
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection SSTI vulnerability. The fix for another SSTI vulnerability using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value fr...
Design/Logic Flaw
Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- 1 using unsafe functions that are not...
Remote code execution
Grav is a file-based Web platform. Prior to version 1.7.42, there is a logic flaw in the GravExtension.filterFilter function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument...
CVE-2023-30615
Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. A stored Cross-Site Scripting XSS vulnerability has been identified in iris-web, affecting multiple locations . The vulnerability in allows an attacker to inject malicious...
Pimcore Properties Parameter Cross-Site Scripting Vulnerability
Pimcore is Austria Pimcore company's set of open source for creating and managing Web applications Web content management platform. The platform integrates Web content management, e-commerce framework and product information management applications. A cross-site scripting vulnerability exists in...
CVE-2023-26123
Versions of the package raysan5/raylib before 4.5.0 are vulnerable to Cross-site Scripting XSS such that the SetClipboardText API does not properly escape the ' character, allowing attacker-controlled input to break out of the string and execute arbitrary JavaScript via emscriptenrunscript...
PT-2023-20504 · Raysan5 · Raylib
Name of the Vulnerable Software and Affected Versions: raysan5/raylib versions prior to 4.5.0 Description: The issue is related to Cross-site Scripting XSS where the SetClipboardText API does not properly escape the character, allowing attacker-controlled input to break out of the string and...
XWiki Platform 跨站请求伪造漏洞
XWiki Platform is a suite of Wiki platforms for creating Web collaboration applications from XWiki France. XWiki Platform suffers from a cross-site request forgery vulnerability that stems from susceptibility to cross-site request forgery CSRF attacks. An attacker could exploit the vulnerability ...
CVE-2022-41892
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in...
Sql injection
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in...
PYSEC-2022-42985
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in...