CVE-2025-14966

A vulnerability was determined in FastAdmin up to 1.7.0.20250506. Affected is the function selectpage of the file application/common/controller/Backend.php of the component Backend Controller. Executing a manipulation of the argument custom/searchField can lead to sql injection. It is possible to...

CVE-2012-10033

Narcissus (backend.php) Image Configuration Command Injection is CVE-2012-10033. The flaw: release parameter is not sanitized before passing to configure_image(), which invokes PHP passthru() with the unsanitized input. This enables remote code execution via a crafted POST request under the web s...

CVE-2012-10033 Narcissus backend.php Image Configuration Command Injection

Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Specifically, the backend.php script fails to sanitize the release parameter before passing it to the configureimage function. This function invokes PHP’s passthru with the unsanitize...

Remote Code Execution (RCE)

winter/storm is vulnerable to Remote Code Execution. An authenticated attacker with permission to to create or modify theme templates with the cms editor can disable the cms.enableSafeMode feature, allowing for the modification of the backend.php code through the web interface...

Pandora FMS 6.0SP3 Cross Site Scripting

Exploit Title: XSS vulnerability for keywords searching parameter in pandorafms-6.0SP3/pandoraconsole Author: @nu11secur1ty Testing and Debugging: @nu11secur1ty Date: 05.27.2021 Vendor: https://pandorafms.com/ Link: https://github.com/pandorafms/pandorafms/releases CVE: 2021-0527-nu11secur1ty...

TYPO3 6.2.1 SQL Injection

Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php Author: @nu11secur1ty Testing and Debugging: @nu11secur1ty Date: 05.02.2021 Vendor: https://typo3.org/ Link: https://get.typo3.org/version/6.2.1 CVE: CVE-2021-31777 Proof: https://streamable.com/8v7v4i + Exploit...

CVE-2011-1133

Cross-Site Scripting XSS in Xinha, as included in the Serendipity package before 1.5.5, allows remote attackers to execute arbitrary code via plugins/ExtendedFileManager/backend.php...

Narcissus Image Configuration Passthru Vulnerability

This module exploits a vulnerability found in Narcissus image configuration function. This is due to the backend.php file not handling the $release parameter properly, and then passes it on to the configureimage function. In this function, the $release parameter can be used to inject system...

WordPress Plugin Livesig 0.4 - Remote File Inclusion

Exploit Title: Livesig Wordpress plugin RFI Google Dork: inurl:wp-content/plugins/livesig Date: 09/19/2011 Author: Ben Schmidt supernothing AT spareclockcycles.org @supernothing Software Link: http://wordpress.org/extend/plugins/livesig/download/ Version: 0.4 tested --- PoC ---...

CVE-2002-2249

PHP remote file inclusion vulnerability in News Evolution 2.0 allows remote attackers to execute arbitrary PHP commands via the neurl parameter to 1 backend.php, 2 screen.php, or 3 admin/modules/comment.php...