509 matches found
PT-2020-12113 · Chadha · Chadha Phpkb Standard Multi-Language
Name of the Vulnerable Software and Affected Versions: Chadha PHPKB Standard Multi-Language version 9 Description: The issue concerns how URIs are handled in admin/header.php, allowing for Reflected XSS in admin/report-article-printed.php. This can be achieved by adding a question mark ? followed...
Mail.ru: unauthorized access to add admin endpoint
Access to static page within media-poll.mail.ru admin interface was not restricted. Access to static page does not grant attacker the ability to perform any actions or access any sensitive information...
PT-2019-7396 · WordPress · Dynamic Widgets
Name of the Vulnerable Software and Affected Versions: dynamic-widgets plugin versions prior to 1.5.11 Description: The issue concerns a CSRF with resultant XSS. It is exploitable via the "page limit" parameter in the "/wp-admin/themes.php?page=dynwid-config" API endpoint. Recommendations: For...
CVE-2019-16702
Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI...
PT-2019-14523 · 10Web · 10Web Photo Gallery
Name of the Vulnerable Software and Affected Versions: 10Web Photo Gallery plugin versions prior to 1.5.35 Description: A SQL injection issue exists in the photo-gallery plugin for WordPress. The issue is exploitable via the album id parameter in the admin/controllers/Albumsgalleries.php file...
PT-2019-13779 · WordPress · Import-Users-From-Csv-With-Meta
Name of the Vulnerable Software and Affected Versions: Import users from CSV with meta plugin versions prior to 1.14.2.2 Description: The issue allows for a CSRF attack via the "wp-admin/admin-ajax.php?action=acui delete attachment" API endpoint. This affects the "Import users from CSV with meta"...
PT-2019-13626 · Unknown · Schben Adive
Name of the Vulnerable Software and Affected Versions: Schben Adive version 2.0.7 Description: The issue allows remote unprivileged users, such as editors or developers, to create an administrator account. This can be achieved via the admin/user/add endpoint, as demonstrated by a Python...
JetBrains YouTrack Cross-Site Request Forgery Vulnerability
JetBrains YouTrack is a browser-based bug tracking and project management software from the Czech company JetBrains. The software features bug tracking, creating workflows and monitoring project progress. A cross-site request forgery vulnerability exists in the admin endpoint in JetBrains YouTrac...
CVE-2019-12851
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852...
CVE-2019-12851
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852...
Cross site request forgery (csrf)
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852...
CVE-2019-12851
CVE-2019-12851 describes a cross-site request forgery (CSRF) vulnerability in an admin endpoint of JetBrains YouTrack. Multiple connected sources corroborate a CSRF issue that could affect YouTrack installations and was remediated by a fix in YouTrack 2018.4.49852. The NVD/NVD-derived metrics ind...
PT-2019-12378 · Webdorado · Webdorado Contact Form Builder
Name of the Vulnerable Software and Affected Versions: WebDorado Contact Form Builder plugin versions prior to 1.0.69 Description: The issue allows for CSRF via the "wp-admin/admin-ajax.php" API endpoint, specifically through the action parameter, which can lead to local file inclusion via...
OFCMS background editUploadImage file upload vulnerability
OFCMS is a content management system based on Java technology. A backend editUploadImage file upload vulnerability exists in versions of OFCMS prior to 1.1.3. The vulnerability stems from the blocking of .jsp and .jspx files without taking into account file.jsp::$DATA of the...
CVE-2019-9613
An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider for example file.jsp::$DATA to the admin/ueditor/uploadVideo URI...
CVE-2018-19043
The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file renaming specifying a "from" and "to" filename via a ../ directory traversal in the dir parameter of an mrelocatorrename action to the wp-admin/admin-ajax.php URI...
CVE-2019-6127
An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename...
PT-2018-2679 · Centos · Centos Web Panel
Name of the Vulnerable Software and Affected Versions: CentOS Web Panel versions through 0.9.8.740 Description: The issue is related to insufficient authentication of requests, allowing for the execution of arbitrary OS commands. This can be exploited by a remote attacker to execute commands. The...
PT-2018-14475 · WordPress · Wp-Live-Chat-Support
Name of the Vulnerable Software and Affected Versions: wp-live-chat-support version 8.0.15 Description: A security issue exists in the wp-live-chat-support plugin for WordPress. The problem is related to the term parameter in the "modules/gdpr.php" file. This issue can be exploited through a...
PT-2018-18092 · Finecms · Finecms
Name of the Vulnerable Software and Affected Versions: FineCms version 5.3.0 Description: The issue concerns a Cross Site Scripting XSS problem. It occurs via the id or lid parameter in a "c=linkage,m=import" request to "admin.php". The xss clean protection mechanism is bypassed by specially...