22 matches found
EUVD-2020-29673
Malware in sbrugna...
CVE-2020-8830
CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen...
CVE-2019-19552
In userman 13.0.76.43 through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another...
CVE-2024-37773
An HTML injection vulnerability in Sunbird DCIM dcTrack 9.1.2 allows attackers authenticated as administrators to inject arbitrary HTML code in an admin screen...
JVN#87182660: WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting
WordPress Plugin "WP Admin UI Customize" provided by gqevu6bsiz contains a stored cross-site scripting vulnerability CWE-79. Impact If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are...
Strapi Improper Rate Limiting vulnerability
Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. Pattern 1 - In this case,...
Stored XSS in title
Description There is Stored XSS in the item title of the menu on the administrator screen. Proof of Concept Step 1. Log in to the admin screen and select Add New Item in Menu. Step 2. Specify the following Payload for the item title and save it. Step 3. Once saved, any script can be executed on t...
Reflected XSS in date
Description There is a reflective XSS on the FOSSBilling admin screen. Proof of Concept By accessing the following URL, it is possible to execute any script on the browser of the logged-in administrator user. URL:...
Grav Server Side Template Injection (SSTI) vulnerability
Summary I found an RCERemote Code Execution by SSTI in the admin screen. Details Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. PoC 1. Log in to the administrator screen and access the edit screen of the defaul...
Grav 代码注入漏洞
Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms, and one-page product displays. A code injection vulnerability exists in Grav versions prior to 1.7.42, which stems from the presence of a server-side template injection SSTI vulnerability...
PT-2023-10290 · WordPress · Wooframework Branding Plugin
Name of the Vulnerable Software and Affected Versions: WooFramework Branding Plugin versions up to 1.0.1 Description: A problematic vulnerability has been found in the WooFramework Branding Plugin on WordPress. The issue affects the admin screen logic function of the file wooframework-branding.ph...
PT-2023-10291 · WordPress · Wooframework Tweaks Plugin
Name of the Vulnerable Software and Affected Versions: WooFramework Tweaks Plugin versions up to 1.0.1 Description: A vulnerability was found in the WooFramework Tweaks Plugin on WordPress. The issue affects the admin screen logic function of the file wooframework-tweaks.php. The manipulation of...
Cross site request forgery (csrf)
CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen...
CVE-2018-9992
Frog CMS 0.9.5 is affected by a cross-site scripting vulnerability that can be triggered by entering malicious content in the name field when creating a new File or Directory via the admin/?/plugin/file_manager/browse/ screen. The issue is documented across multiple sources (NVD, CNVD, CVE record...
HOME SPOT CUBE2 vulnerable to OS command injection in clock settings
Overview HOME SPOT CUBE2 provided by KDDI CORPORATION is a wireless LAN router. HOME SPOT CUBE2 contains OS command injection in clock settings. Taizoh Tsukamoto of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information...
Design/Logic Flaw
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment...
CVE-2016-9459
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment...
CVE-2016-9459
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment...
CVE-2016-9459
CVE-2016-9459 affects Nextcloud Server < 9.0.52 and ownCloud Server
Log pollution can potentially lead to local HTML injection - ownCloud
The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the...