PT-2022-27825 · Proofpoint · Proofpoint Enterprise Protection

Name of the Vulnerable Software and Affected Versions: Proofpoint Enterprise Protection PPS/PoD versions 8.19.0 and below Description: The admin user interface in Proofpoint Enterprise Protection contains a command injection issue that allows an admin to execute commands beyond their allowed scop...

ImageInject <= 1.17 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. POST...

CVE-2020-23583

OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on "/diagpingadmin.asp" to "PingTest" interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system...

PT-2022-27290 · Unknown · Chameleon Plugin

Name of the Vulnerable Software and Affected Versions: Chameleon plugin versions 1.4.3 and earlier Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. This vulnerability requires authentication with admin or higher privileges. The estimated number of potentially...

HMS-PHP 安全漏洞

HMS-PHP is a CSE309 IUB final web application project by the individual developer Pingkon Augustine Rozario. A security vulnerability exists in Pingkon HMS-PHP, which stems from an unknown function in the file /admin/admin.php being affected, where manipulation of the parameter uname/pass can lea...

AyaCMS 代码问题漏洞

AyaCMS is an extremely simple and free open source PHP website builder. v3.1.2 of AyaCMS contains a security vulnerability that originates from an arbitrary file upload vulnerability found via the component /admin/fstupload.inc.php. An attacker could use this vulnerability to execute arbitrary co...

PT-2022-21779 · Trellix · Trellix Ips Manager

Name of the Vulnerable Software and Affected Versions: Trellix IPS Manager versions prior to 10.1 M8 Description: The issue allows a remote authenticated administrator to perform an XML External Entity XXE attack in the administrator interface. This is done by importing a saved XML configuration...

CVE-2022-40684

An authentication bypass using an alternate path or channel CWE-288 in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform...

VulnCheck KEV: CVE-2022-40684

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests...

CVE-2022-42457

Generex CS141 through 2.10 allows remote command execution by administrators via a web interface that reaches runupdate in /usr/bin/gxserve-update.sh e.g., command execution can occur via a reverse shell installed by install.sh...

PT-2022-24858 · Discotoc · Discotoc

Name of the Vulnerable Software and Affected Versions: DiscoTOC versions prior to the fixed version on the main branch Description: The issue allows users to inject arbitrary HTML on a topic's page if they can create topics in TOC-enabled categories and have a sufficient trust level. The estimate...

PT-2022-19405 · Dell · Os10

Name of the Vulnerable Software and Affected Versions: Dell Networking OS10 versions prior to October 2021 Description: The issue allows a remote, unauthenticated attacker to potentially exploit it by reverse engineering to retrieve sensitive information and access the REST API with admin...

Strapi SQL注入漏洞

Strapi is an open source content management system CMS. versions of Strapi prior to 3.6.10 and 4.0.0 and later, and prior to 4.1.10, contain a SQL injection vulnerability that stems from its incorrect handling of hidden attributes in admin API responses. An attacker could exploit the vulnerabilit...

CVE-2022-40097

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/updatecurrency.php...

CVE-2022-40447

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojialist.php...

CVE-2022-39049 Possible XSS in Admin Interface

An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS...

CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload

The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. Activate PHP extension: - Log in and go to "CM Downloads" "Settings" "General". -...

CVE-2022-2338

Softing Secure Integration Server V1.22 is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the attack. The HTTP request may contain the session cookie in the request, which may...

Alphaware Simple E-Commerce System 代码问题漏洞

Alphaware Simple E-Commerce System is an e-commerce system by razormist individual developers. The Alphaware Simple E-Commerce System suffers from a code issue that arises from an unknown portion of the adminfeature.php code in its backend administration interface that allows an attacker to perfo...

CVE-2022-36967

In Progress WSFTP Server prior to version 8.7.3, multiple reflected cross-site scripting XSS vulnerabilities exist in the administrative web interface. It is possible for a remote attacker to inject arbitrary JavaScript into a WSFTP administrator's web session. This would allow the attacker to...