136 matches found
CVE-2013-1817
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information...
CVE-2013-1817
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information...
CVE-2013-1817
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information...
Cross site scripting
An XSS issue was discovered in app/search/search.app.php in idreamsoft iCMS 7.0.14 via the public/api.php?app=search q parameter...
CVE-2019-11427
The CVE-2019-11427 entry concerns an XSS vulnerability in idreamsoft iCMS 7.0.14, exploitable via the public/api.php?app=search&q parameter within the file app/search/search.app.php. Connected sources consistently describe the issue as a Cross-Site Scripting vulnerability in iCMS 7.0.14, with no ...
CVE-2019-8902
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI...
CVE-2018-20006
CVE-2018-20006 affects PHPok v5.0.055. A Stored XSS flaw exists in the title parameter passed to api.php?c=post&f=save, reachable via index.php?id=book. The underlying issue is unencoded user input being stored and subsequently rendered, enabling script execution in a victim’s browser. Public ref...
CVE-2018-18319
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed on...
CVE-2018-18319
An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed on...
Sql injection
PbootCMS 1.2.1 has SQL injection via the HTTP POST data to the api.php/cms/addform?fcode=1 URI...
CVE-2018-18211
PbootCMS 1.2.1 has SQL injection via the HTTP POST data to the api.php/cms/addform?fcode=1 URI...
CVE-2018-18211
PbootCMS 1.2.1 has SQL injection via the HTTP POST data to the api.php/cms/addform?fcode=1 URI...
CVE-2018-18211
PbootCMS 1.2.1 is affected by an SQL injection vulnerability. The issue occurs via HTTP POST data to the api.php/cms/addform?fcode=1 URI, enabling crafted input to influence SQL queries. This CVE is supported by multiple sources (NVD entry CVE-2018-18211 and related records) indicating a high-sev...
CVE-2018-17049
CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback parameter in an uploadpic action...
Sql injection
phpkaiyuancms PhpOpenSourceCMS POSCMS V3.2.0 allows an unauthenticated user to execute arbitrary SQL commands via the diy/module/member/controllers/Api.php ajaxsavedraft function with the dir parameter...
CVE-2018-14940
PHPCMS 9 allows remote attackers to cause a denial of service resource consumption via large fontsize, height, and width parameters in an api.php?op=checkcode request...
CVE-2018-14940
PHPCMS 9 is affected by CVE-2018-14940 where remote attackers can trigger a denial of service by sending oversized font_size, height, and width values to api.php?op=checkcode. The connected sources reiterate the same description and CVSS data (NVD), with no concrete remediation details provided i...
CVE-2018-14940
PHPCMS 9 allows remote attackers to cause a denial of service resource consumption via large fontsize, height, and width parameters in an api.php?op=checkcode request...
Design/Logic Flaw
An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the callback parameter in a public/api.php uploadpic request, bypassing the iWAF protection mechanism...
CVE-2018-9104
A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 21.84.5535.0 and earlier, and Mitel ST 14.2, versions GA27 19.49.5200.0 and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting XSS attack due to insufficient...