admin 代码注入漏洞

“admin” is a chatroom software developed by Z-9527. Both the 1.0 and 2.0 versions of “admin” have code injection vulnerabilities. These vulnerabilities stem from incorrect operations on the file/server/routes/message.js, which may lead to cross-site scripting attacks...

CVE-2025-28057

owl-admin v3.2.2 to v4.10.2 is vulnerable to SQL Injection in /admin-api/system/adminmenus/saveorder...

CVE-2022-39301

sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting XSS vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" ...

GHSA-37X3-J9JQ-VRJX Dcat-Admin Cross-Site Scripting (XSS) vulnerability

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting XSS vulnerability via /admin/auth/menu and /admin/auth/extensions...

CVE-2024-54775

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting XSS vulnerability via /admin/auth/menu and /admin/auth/extensions...

CVE-2024-37768

14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id...

CVE-2024-34070

Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting XSS vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on t...

Woocommerce Vietnam Checkout < 2.0.5 - Reflected XSS

The plugin does not sanitise and escape the from and to parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2022-39301 sra-admin is vulnerable to storage cross-site scripting (XSS) via unrestricted file upload

sra-admin is a background rights management system that separates the front and back end. sra-admin version 1.1.1 has a storage cross-site scripting XSS vulnerability. After logging into the sra-admin background, an attacker can upload an html page containing xss attack code in "Personal Center" ...

Store Locator < 1.4.6 - Stored XSS via CSRF

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

MashShare <= 3.8.1 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Photo Gallery by Supsystic < 1.15.6 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack PoC...

MicroPayments < 1.9.6 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF in place when updating its settings, which could allow attacker to make a logged in admin perform such action via a CSRF attack...