GHSA-JWXH-WJ79-CCM6 Magento Reflected Cross-site Scripting vulnerability via 'file' parameter

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required...

GHSA-269W-PQC7-68Q9 Magento vulnerable to a file upload restriction bypass

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...

Magento OS Command Injection

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for...

GHSA-H437-QJJ9-VMQ4 Magento XPath Injection

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful...

Magento vulnerable to a file upload restriction bypass

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...

Magento XPath Injection

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful...

Magento OS command injection via the WebAPI

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...

GHSA-792F-C8MP-2CR5 Magento OS command injection via the WebAPI

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...

GHSA-W2P4-2C8C-2G7H Magento OS command injection via the customer attribute save controller

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required...

Magento OS command injection via the customer attribute save controller

Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required...

JBoss KeyCloak Cross-site Scripting Vulnerability

If a JBoss Keycloak application was configured to use as a permitted web origin in the Keycloak administrative console, crafted requests to the login-status-iframe.html endpoint could inject arbitrary Javascript into the generated HTML code via the "origin" query parameter, leading to a cross-sit...

GHSA-V3H2-4J2R-WQJ8 Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protection...

Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protection...

GHSA-V38P-MQQ3-M6V5 Keycloak Reflected XSS

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server...

Keycloak Reflected XSS

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server...

Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console

Summary Embedded WebSphere Application Server traditional Admin Console is vulnerable to a directory traversal vulnerability CVE-2020-4782 Vulnerability Details CVEID: CVE-2021-23450 DESCRIPTION: Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a prototype...

Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console

Summary Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console. TWAS pen testing uncovered an issue with the admin console that allows Client-side HTTP Parameter Pollution. The user must be navigating the affected resources. Client-side HTTP parameter pollution HPP...

The vulnerability of the VMware Workspace ONE Access application management platform, the VMware Cloud Foundation virtualization platform, the VMware vRealize Automation virtual infrastructure management tool, the vRealize Suite Lifecycle Manager application lifecycle management software, and the VMware Identity Manager (vIDM) administration console lies in insufficient checks on the HTTP request source. This allows attackers to carry out CSRF attacks.

The vulnerabilities of the application management platform VMware Workspace ONE Access, the virtualization platform VMware Cloud Foundation, the virtual infrastructure management tool VMware vRealize Automation, the application lifecycle management software vRealize Suite Lifecycle Manager, and t...

CVE-2021-33523

MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController...

CVE-2021-33523

MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController...