h2: Loading of custom classes from remote servers through JNDI

A flaw was found in the H2 Console. This flaw allows remote attackers to execute arbitrary code via a JDBC URL, concatenating with a substring that allows remote code execution by using a script...

Remote Code Execution

ldap-account-manager is vulnerable to remote code execution. An attacker is able to inject the first constructor argument leading to code execution if non-LAM classes are instantiated during object creation...

Input validation

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting i...

CVE-2022-31092 SQL injection in pimcore

Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting i...

CVE-2022-31084 Unauthenticated Remote Code Execution in ldap-account-manager

LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to cod...

SUSE: Security Advisory (SUSE-SU-2022:2174-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

A flaw was found in gson, which is vulnerable to Deserialization of Untrusted Data via the writeReplace method in internal classes. This issue may lead to availability attacks...

SQL Injection

pimcore/pimcore is vulnerable to sql injection. The vulnerability exists due to improper quoting of columns in setOrderKey function and setGroupBy function of AbstractListing.php when using setOrderBy or setGroupBy on listing classes...

GHSA-GVMF-WCX6-P974 Improper quoting of columns when using setOrderBy() or setGroupBy() on listing classes in Pimcore

Impact Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the...

Improper quoting of columns when using setOrderBy() or setGroupBy() on listing classes in Pimcore

Impact Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default. The actual issue is that quoting is not done properly in both cases, so there's the...

CVE-2022-32328

Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=deleteimg...

Frida-Ios-Hook - A Tool That Helps You Easy Trace Classes, Functions, And Modify The Return Values Of Methods On iOS Platform

A tool that helps you can easy using frida. It support script for trace classes, functions, and modify the return values of methods on iOS platform.  For Android platform: frida-android-hook  For Intercept Api was encrypted on iOS application: frida-ios-interceprt-api Env OS Support OS |...

GHSA-MP46-7X6Q-F28M Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfilteredhtml is disabled...

Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfilteredhtml is disabled...

Deserialization of Untrusted Data in Spring Batch

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based o...

Merchandise Online Store SQL注入漏洞

Merchandise Online Store is a merchandise online store system. A security vulnerability exists in Merchandise Online Store, which can be exploited by attackers via /vloggersmerch/classes/Master.php?f=deleteinventory to conduct SQL injection attack...

CVE-2022-30384

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggersmerch/classes/Master.php?f=deleteinventory...

CVE-2022-30386

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggersmerch/classes/Master.php?f=deletefeatured...

CVE-2022-30387

Merchandise Online Store v1.0 is vulnerable to SQL Injection via /vloggersmerch/classes/Master.php?f=payorder...