CVE-2023-31474

An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name...

CVE-2021-35053

Possible system denial of service in case of arbitrary changing Firefox browser parameters. An attacker could change specific Firefox browser parameters file in a certain way and then reboot the system to make the system unbootable...

CVE-2009-3256

Cross-site scripting XSS vulnerability in include/ajax/blogInfo.php in LiveStreet 0.2 allows remote attackers to inject arbitrary web script or HTML via the URI, as demonstrated by a SCRIPT element in an arbitrary parameter such as the asd parameter...

CVE-2023-31474

GL.iNet devices before 3.216 are affected by CVE-2023-31474 due to a flaw in the software installation feature that lets an attacker inject arbitrary parameters via a regex in a package name, causing opkg to list files in a target directory. The issue stems from how package-name regex handling ca...

LFI/RFI in MLflow

Description Local and Remote File Include in MLflow Proof of Concept Start the server or UI it works on both identically bash mlflow ui --host 127.0.0.1:5001 Create a model bash curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15;...

EXNESS: SSRF in graphQL query (pwapi.ex2b.com)

An SSRF vulnerability was discovered in the GraphQL query for allTicks on the pwapi.ex2b.com website. This vulnerability allowed an attacker to set the source parameter to perform arbitrary GET requests, potentially compromising internal services exposed to internal network requests...

GHSA-5PGJ-R7C6-7C7W Apache Struts Multiple XSS Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in component handlers in the javatemplates aka Java Templates plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of...

Apache Struts Multiple XSS Vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in component handlers in the javatemplates aka Java Templates plugin in Apache Struts 2.x before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via an arbitrary parameter value to a .action URI, related to improper handling of...

WP Editor < 1.2.7 - Authenticated SQL injection

The plugin did not sanitise or validate its setting fields leading to an authenticated admin+ blind SQL injection issue via an arbitrary parameter when making a request to save the settings. PoC https://drive.google.com/file/d/1KT4lHePmYuX36jvA4AEQ1MVDwJBlZOO/view?usp=sharing payload:...

CVE-2020-14206

The DiveBook plugin 1.1.4 for WordPress is prone to unauthenticated XSS within the filter function via an arbitrary parameter...

CVE-2018-19189

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement...

CVE-2018-19187

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement...

Code injection

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement...

PAYFORT payfort-php-SDK cross-site scripting vulnerability (CNVD-2019-08571)

PayFort is an online payment gateway. payfort-php-SDK is the PayFort payment gateway SDK. A cross-site scripting vulnerability exists in Amazon PAYFORT payfort-php-SDK on 2018-04-26 and earlier versions, which can be exploited by an attacker to conduct a cross-site scripting attack via an arbitra...

PAYFORT payfort-php-SDK cross-site scripting vulnerability (CNVD-2019-08573)

PayFort is an online payment gateway. payfort-php-SDK is the PayFort payment gateway SDK. A cross-site scripting vulnerability exists in Amazon PAYFORT payfort-php-SDK on 2018-04-26 and earlier versions, which can be exploited by an attacker to conduct a cross-site scripting attack via an arbitra...

CVE-2017-18024

AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1...

Default credentials

AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1...

CVE-2017-18024

AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and whose value is 1...

AvantFAX 3.3.3 Cross Site Scripting

Title: AvantFAX 3.3.3 - XSS Author: Nassim Asrir Contact: [email protected] Vendor: https://www.officetracker.com/ CVE: CVE-2017-18024 Description AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default URI, as demonstrated by a parameter whose name contains a SCRIPT element and...

CVE-2012-4336

Multiple cross-site scripting XSS vulnerabilities in index.php in Flogr 2.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via 1 the PATHINFO or 2 an arbitrary parameter...