12 matches found
EUVD-2020-8590
Malware in sbrugna...
CVE-2021-24913
The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswsssaveattachmentdata AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media...
CVE-2024-37316 Nextcloud Calendar's event create can create attachments that link to other websites
Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2...
PT-2024-27473 · Nextcloud · Nextcloud Calendar
Name of the Vulnerable Software and Affected Versions: Nextcloud Calendar versions prior to 4.6.8 Nextcloud Calendar versions prior to 4.7.2 Description: The issue allows authenticated users to create an event with manipulated attachment data, leading to a bad redirect for participants when...
XWiki Platform 注入漏洞
XWiki Platform is a suite of Wiki platforms for creating Web collaboration applications from the French company XWiki. An injection vulnerability exists in XWiki Platform that stems from incorrectly escaping information loaded from attachments in imported.vm, importinline.vm, and packagelist.vm...
WordPress plugin Logo Showcase with Slick Slider 访问控制错误漏洞
WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an open source application plugin for WordPress. An access control error vulnerability exists in the WordPress...
Improper Access Control in bookstackapp/bookstack
Description A user with API access can view any attachment which they do not have read access to because read permissions are not being checked at the API attachments read controller. Proof of Concept 1: From default installation give the "Public" role access to system API 2: Upload attachment...
CVE-2020-16629
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path...
CVE-2020-16629
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path...
Sql injection
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path...
CVE-2020-16629
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path...
CVE-2011-2977
Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3...