136 matches found
HTMLy cross-site scripting vulnerability (CNVD-2022-82256)
HTMLy is an open source database-free PHP blogging platform. A cross-site scripting vulnerability exists in HTMLy version 2.8.1, which originates from the "description" field in the admin/config and index.php pages. The vulnerability can be exploited to execute malicious code, manipulate pages to...
HTMLy 跨站脚本漏洞
HTMLy is an open source database-free PHP blogging platform. A cross-site scripting vulnerability exists in HTMLy version 2.8.1, which originates from the "description" field in the admin/config and index.php pages. The vulnerability can be exploited to execute malicious code, manipulate pages to...
CVE-2021-46009
Totolink A3100R (V5.9c.4577) is affected by an access‑control vulnerability: multiple pages can be read without authentication and admin configurations can be set without cookies. The issue is described across multiple trusted sources (NVD entry CVE-2021-46009 and CNVD/CNNVD records) as a credent...
CVE-2021-46009
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies...
CVE-2020-21506
waimai Super Cms 20150505 contains a cross-site scripting XSS vulnerability in the component /admin.php?m=Config&a=add...
CVE-2020-19158
Cross Site Scripting XSS in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the 'Site Title' parameter of the component '/data/admin//app/config/'...
S-CMS 跨站脚本漏洞
S-CMS is a PHP and MySQL based Content Management System CMS from S-CMS, China. S-CMS suffers from a cross-site scripting vulnerability that stems from cross-site scripting XSS in S-CMS build 20191014 and earlier versions that allows remote attackers to execute arbitrary code via the Site Title...
CVE-2019-25020
CVE-2019-25020 affects Scytl sVote 2.1. The root cause is an unauthenticated sdm-ws-rest API that allows retrieving administrative configuration by sending a POST to /sdm-ws-rest/preconfiguration. The impact is exposure of admin configuration (confidentiality impact noted as HIGH in CVSS 3.1). Ex...
CVE-2021-23878
Clear text storage of sensitive Information in memory vulnerability in McAfee Endpoint Security ENS for Windows prior to 10.7.0 February 2021 Update allows a local user to view ENS settings and credentials via accessing process memory after the ENS administrator has performed specific actions. To...
Path traversal
loklak is an open-source server application which is able to collect messages from various sources, including twitter. The server contains a search index and a peer-to-peer index sharing interface. All messages are stored in an elasticsearch index. In loklak less than or equal to commit 5f48476, ...
CVE-2020-15097
loklak is an open-source server application which is able to collect messages from various sources, including twitter. The server contains a search index and a peer-to-peer index sharing interface. All messages are stored in an elasticsearch index. In loklak less than or equal to commit 5f48476, ...
Under Construction < 3.86 - Authenticated Stored Cross-Site Scripting (XSS)
The Underconstruction plugin admin configuration is vulnerable to stored XSS issues which will be triggered in the main page of the site, even when the unfilteredhtml is disabled. Edit WPScanTeam A fix was attempted in v3.80, but was insufficient. In the meantime, more fields were found to be...
Design/Logic Flaw
An issue was discovered in Zammad before 3.5.1. The default signup Role for newly created Users can be a privileged Role, if configured by an admin. This behvaior was unintended...
CVE-2020-35126
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy...
CVE-2020-35126
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy...
Cross site scripting
Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy...
CVE-2020-35126
Typesetter CMS 5.x–5.1 is affected by a Site Title persistent XSS via the Admin/Configuration URI. The vulnerability stems from the Admin/Configuration URI handling of the Site Title, enabling an attacker with admin access to persistently inject XSS content. No explicit fixed version is listed in...
PT-2020-17261 · Typesetter · Typesetter Cms
Name of the Vulnerable Software and Affected Versions: Typesetter CMS versions 5.x through 5.1 Description: The issue allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. The significance of this report is disputed because admins are considered trustworthy...
Typesetter CMS Cross-Site Scripting Vulnerability
Typesetter is a content management system CMS. A cross-site scripting vulnerability exists in Typesetter CMS versions 5.x through 5.1 that allows administrators to conduct persistent XSS attacks on site headers via the administrative configuration URI. Note:The significance of this report is...
PT-2020-15483 · Cloudbees +1 · Jenkins Health Advisor By Cloudbees Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Health Advisor by CloudBees Plugin versions 3.2.0 and earlier Description: The issue arises from an incorrect permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view the endpoint, which includes a...