1339 matches found
CVE-2022-38254
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting XSS vulnerability via the ajax.php script in CCM 3.1.5...
CVE-2022-38254
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting XSS vulnerability via the ajax.php script in CCM 3.1.5...
UBUNTU-CVE-2022-38254
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting XSS vulnerability via the ajax.php script in CCM 3.1.5...
CVE-2022-38254
Nagios XI before v5.8.7 contains an XSS vulnerability in the ajax.php script within CCM 3.1.5. The issue allows injection of malicious scripts if a user visits or interacts with affected pages. Affected product: Nagios XI; affected component: ajax.php in CCM 3.1.5; root cause: cross‑site scriptin...
EUVD-2022-40846
Nagios XI before v5.8.7 was discovered to contain a cross-site scripting XSS vulnerability via the ajax.php script in CCM 3.1.5...
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS
The plugin does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made As unauthenticated, make a reservation ie on a page where the reservationform is embed and...
Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
The plugin does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...
Craw Data <= 1.0.0 - Server Side Request Forgery
The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF. When configuring the CrawData addon, the request is as follows GET...
CVE-2022-2843
A vulnerability was found in MotoPress Timetable and Event Schedule. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /wp-admin/admin-ajax.php of the component Quick Edit. The manipulation of the argument posttitle with the input leads to cross si...
Cross site scripting
A vulnerability was found in MotoPress Timetable and Event Schedule. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /wp-admin/admin-ajax.php of the component Quick Edit. The manipulation of the argument posttitle with the input leads to cross si...
CVE-2022-2843
CVE-2022-2843 affects MotoPress Timetable and Event Schedule (WordPress plugin). The vulnerability exists in the Quick Edit path via /wp-admin/admin-ajax.php, where manipulating the post_title parameter with the payload triggers cross-site scripting. Exploitation may be remote. The issue is docu...
CVE-2022-2843 MotoPress Timetable and Event Schedule Quick Edit admin-ajax.php cross site scripting
A vulnerability was found in MotoPress Timetable and Event Schedule. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /wp-admin/admin-ajax.php of the component Quick Edit. The manipulation of the argument posttitle with the input leads to cross si...
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
The plugin does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "application/x-www-form-urlencoded", , "method": "POST", "body":...
Ninja Forms < 3.6.11 - Unauthenticated PHP Object Injection
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have bee...
CVE-2022-32020
Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via ip/car-rental-management-system/admin/ajax.php?action=savesettings...
Visualizer < 3.7.7 - Reflected Cross-Site Scripting
The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin-ajax.php?action=visualizer-edit-chart&library=yes&chart=6190&tab=visualizer&a"alert/XSS/...
Moodle allows attackers to obtain sensitive information
mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtai...
GHSA-FRHC-9HWC-X7J3 Moodle allows attackers to obtain sensitive information
mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtai...
Exploit for CVE-2022-28590
CVE-2022-28590 The original discovery and manual PoC is from...
CVE-2022-28590
A Remote Code Execution RCE vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=installtheme...