1114 matches found
GHSA-PVGF-MRR4-CW7R Cross-Site Request Forgery in ForkCMS
Multiple cross-site request forgery CSRF vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to 1 approve the mass of the user's comments, 2 restoring a deleted user, 3 installing or running modules, 4 resetting the...
Cross-Site Request Forgery in ForkCMS
Multiple cross-site request forgery CSRF vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to 1 approve the mass of the user's comments, 2 restoring a deleted user, 3 installing or running modules, 4 resetting the...
CVE-2021-3536
A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack XSS. The highest threat from this vulnerability is to confidentiality and integrity...
Privilege Escalation
openmage/magento-lts is vulnerable to privilege escalation. An attacker is able to access the admin console through a vulnerability due to an blind SQL injection vulnerability in the Search module...
CVE-2020-19419
Incorrect Access Control in Emerson Smart Wireless Gateway 1420 4.6.59 allows remote attackers to obtain sensitive device information from the administrator console without authentication...
CVE-2021-21064
Magento UPWARD-php version 1.1.4 and earlier is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 and earlier due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which...
CVE-2021-21064
Magento UPWARD-php version 1.1.4 and earlier is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 and earlier due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which...
Path traversal
Magento UPWARD-php version 1.1.4 and earlier is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 and earlier due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which...
CVE-2021-21064
CVE-2021-21064 affects Magento UPWARD-php (versions 1.1.4 and earlier) via the UPWARD Connector (versions 1.1.2 and earlier). The issue is a path traversal vulnerability caused by the upload feature that could let an attacker with admin console access upload a malicious YAML file and read arbitra...
CVE-2021-21064 Magento UPWARD-php Path traversal vulnerability via UPWARD Connector
Magento UPWARD-php version 1.1.4 and earlier is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 and earlier due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which...
CVE-2021-21014
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...
CVE-2021-21014
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...
Design/Logic Flaw
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...
CVE-2021-21027
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are affected by a cross-site request forgery CSRF vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the...
CVE-2021-21019
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation...
CVE-2021-21029
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required...
CVE-2021-21029
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required...
CVE-2021-21018
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for...
CVE-2021-21026
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin...
CVE-2021-21023
Magento versions 2.4.1 and earlier, 2.4.0-p1 and earlier and 2.3.6 and earlier are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required...