PT-2023-19757 · Pmb · Pmb

Name of the Vulnerable Software and Affected Versions: PMB version 7.4.6 Description: A reflected cross-site scripting XSS issue was found in PMB via the query parameter at "/admin/convert/export z3950 new.php". This allows for potential XSS attacks. Recommendations: For PMB version 7.4.6, consid...

Helpful < 4.5.26 - Information Disclosure

The plugin puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings After an admin export logs via...

CVE-2022-38844

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...

CVE-2022-2798

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...

Affiliates Manager < 2.9.14 - Affiliate CSV Injection

The plugin does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data PoC Register as an affiliate and put the following payload in the Firstname, Lastname or Company fields: =10+2+30 As...

WordPress plugin FoxyShop 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in versions of the WordPress FoxyShop plugin prior to...

WordPress plugin Custom TinyMCE Shortcode Button 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. WordPress Custom TinyMCE Shortcode Buttons plugin version 1.1 and earlier is vulnerable to a...

CVE-2022-0914

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

CVE-2022-0914

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages including private and draft into an arbitrary CSV file, which the attacker can then download and retrieve the list of...

CVE-2021-43701

CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/articledb, via the fieldS and orderby parameters...

CVE-2021-43701

CSZ CMS 1.2.9 has a Time and Boolean-based Blind SQL Injection vulnerability in the endpoint /admin/export/getcsv/articledb, via the fieldS and orderby parameters...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. WordPress plugin is a WordPress open source application plugin. WordPress Akismet Privacy Policies plugin version 2.0.1 and earlier versions contain a cross-site scripting vulnerability, which stems...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. WordPress MOLIE plugin has a cross-site scripting vulnerability that stems from not escaping the courseid parameter before...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. WordPress Team Circle Image Slider With Lightbox...

PT-2021-16884 · Suitecrm · Suitecrm

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions 7.10.29 through 7.10.31 SuiteCRM versions 7.11.18 through 7.11.19 Description: The issue concerns a CSV Injection vulnerability, also known as Formula Injection, which allows a low-privileged attacker to inject payloads into...

PT-2021-19562 · Phplist · Phplist

Name of the Vulnerable Software and Affected Versions: phpList version 3.6.0 Description: The issue allows for CSV injection, related to the email parameter, and affects the /lists/admin/ endpoint. Recommendations: For phpList version 3.6.0, consider restricting access to the /lists/admin/ endpoi...

PT-2020-17266 · Dolibarr · Dolibarr

Name of the Vulnerable Software and Affected Versions: Dolibarr version 12.0.3 Description: The issue allows for authenticated Remote Code Execution. An attacker with access to the admin dashboard can exploit the backup function by inserting a payload into the zipfilename template parameter in th...

LimeSurvey Access Control Error Vulnerability

LimeSurvey formerly known as PHPSurveyor is a set of open source online questionnaire survey program from the LimeSurvey team, which supports survey program development, questionnaire distribution, and data collection. A security vulnerability exists in the 'downloadZip' function of the...

UBUNTU-CVE-2018-15474

DISPUTED CSV Injection aka Excel Macro Injection or Formula Injection in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has...