ED01-CMS 代码问题漏洞

ED01-CMS is a CMS project in a Udemy course. A security vulnerability exists in ED01-CMS version 20180505, which stems from an arbitrary file upload vulnerability via /admin/users.php?source=edituser&id=1...

CVE-2022-1027

The Page Restriction WordPress WP WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users...

CVE-2022-1094 Amr Users < 4.59.4 - Admin+ Stored Cross-Site Scripting

The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

WordPress plugin Page Restriction 跨站脚本漏洞

WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on servers with PHP and MySQL. WordPress plugin Page Restriction has a cross-site scripting vulnerability that stems from injecting Javascript code into its settings...

Sourcecodester Baby Care System SQL注入漏洞（CNVD-2022-35523）

Sourcecodester Baby Care System is an application of the Sourcecodester community in the United States. Sourcecodester Baby Care System v1.0 contains a SQL injection vulnerability that originates in /admin/uesrs.php & action=display & value=Hide & userid= where the userid parameter lacks validati...

CVE-2022-28439

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4...

Sourcecodester Baby Care System SQL注入漏洞

Sourcecodester Baby Care System is an application of the Sourcecodester community in the United States. Sourcecodester Baby Care System v1.0 contains a SQL injection vulnerability that originates from the lack of validation of external input SQL statements in the userid parameter in...

CVE-2022-0994

The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2022-1088

The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2022-1347 Stored XSS in the "Username" & "Email" input fields leads to account takeover of Admin & Co-admin users in causefx/organizr

Stored XSS in the "Username" & "Email" input fields leads to account takeover of Admin & Co-admin users in GitHub repository causefx/organizr prior to 2.1.1810. Account takeover and privilege escalation...

Aethon TUG Home Base Server 安全漏洞

Aethon TUG Home Base Server is a robotics server from Aethon, Inc. It is used to control and communicate with autonomous mobile robots. Aethon TUG Home Base Server has a security vulnerability that can be exploited by an unauthenticated attacker to arbitrarily add new users with administrative...

CSZ CMS SQL注入漏洞

CSZ CMS is a PHP-based open source content management system CMS. CSZ CMS version 1.2.2 contains a SQL injection vulnerability, which originates from the lack of validation of external input SQL statements in cszcmsadminUsersviewUsers and can be exploited by attackers to execute illegal SQL...

CVE-2022-1006

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks...

MinIO -- unprivileged users can create service accounts for admin users

MinIO reports: A security issue was found where an unprivileged user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials...

CockroachDB < 2.1.10 / 19.1.x < 19.1.16 / 19.2.x < 19.2.2 Broken Access Control Vulnerability (A42567)

The version of CockroachDB installed on the remote host has a privileged HTTP endpoint which is incorrectly available to non-admin users. An unauthenticated, remote attacker can exploit this issue by sending a specially crafted HTTP request to obtain & modify sensitive information from the remote...

WordPress plugin 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on PHP and MySQL servers.WordPress plugin is an open source application plugin for WordPress. A cross-site scripting vulnerability exists in the...

LiveConfig 跨站脚本漏洞

LiveConfig is a control panel software from the German company LiveConfig. It is used to simplify server configuration and ensure reliable and secure operation. A security vulnerability exists in LiveConfig version 2.12.2, which stems from an XSS issue in the admin/users user management form...

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting Vulnerability

The Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. This vulnerability makes it possible for an...

CVE-2021-25109

The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting XSS against logged in admins by making send open a malicious link...

CVE-2021-46459

Victor CMS v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component admin/users.php?source=adduser. These vulnerabilities can be exploited through a crafted POST request via the username, userfirstname,userlastname, or useremail parameters...