8 matches found
PT-2026-41863
The additional tables configuration of the page and tt content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index...
CVE-2026-44633
Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can...
CVE-2022-45186
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database...
WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF
The plugin does not properly check for CSRF in its delfield and savealldata AJAX actions, allowing attacker to make logged in user call them via a CSRF attack To delete a field from the Registration Form: To change the whole Registration Form: input type=...
WooCommerce Custom Registration Form <= 1.0.4 - Arbitrary Field Deletion and Form Modification via CSRF
The plugin does not properly check for CSRF in its delfield and savealldata AJAX actions, allowing attacker to make logged in user call them via a CSRF attack PoC To delete a field from the Registration Form: To change the whole Registration Form:...
Tryton-server Access Privilege Vulnerability
tryton is a general-purpose application framework, GPL-3 licensed, written in Python, with PostgreSQL as the database engine. A security vulnerability exists on the server side of Tryton, which can be exploited by an authenticated attacker to write arbitrary values to record fields...
mcms最新版任意表的任意字段注入+添加管理员+任意数据删除
简要描述: mcms最新版任意表的任意字段注入+添加管理员+任意数据删除 详细说明: 前两天在wooyun提了两个漏洞,一天就确认修复了,而且出了新版本,那我就去官网下个最新(v3.1.1.enterprise)的来看看学习学习吧。 问题一:任意表的任意字段注入 注入一枚:POST /app/user/info.php?m=save&ajax=1 POST中有个参数modelname,这个参数是用来与数据表前缀(TBPRE)拼接需要操作的数据表的表名的,在获得modelname时并没有过滤,因此,在数据表名可就可以进行注入了,当然,可以利用任意表的任意字段来进行注入。...
CVE-2012-2269
Multiple cross-site scripting XSS vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via 1 an arbitrary field to apps/contacts/ajax/addcard.php, 2 the parameter parameter to apps/contacts/ajax/addproperty.php, 3 the name parameter to...