EUVD-2021-27371

Malware in sbrugna...

Server side request forgery (ssrf)

The AppCheck research team identified a Server-Side Request Forgery SSRF vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In...

Input validation

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to...

CVE-2022-23655

CVE-2022-23655 affects Octobercms (Laravel-based) where affected versions did not validate gateway server signatures. This allows non-authoritative gateway servers to exfiltrate user private keys. The fix is available via upgrading to build 474 or v1.1.10, or applying the patch commit e3b455ad587...

CVE-2022-21705

October CMS (Laravel-based) is vulnerable to an authenticated remote code execution due to improper sanitization of user input in admin pages, allowing bypass of cms.safe_mode/cms.enableSafeMode and arbitrary code execution. Affected builds were fixed in Build 474 (1.0.474) and 1.1.10; manual rem...

SPA Cart CMS 2021 SQL Injection

Document Title: =============== SPA Cart CMS - Multiple SQL Injection Web Vulnerabilities References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=2304 Release Date: ============= 2021-10-18 Vulnerability Laboratory ID VL-ID: ====================================...

CVE-2021-32624

Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control...

CVE-2021-32624

Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control...

CVE-2021-21264

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 fixed in 1.0.470/471 and 1.1.1 was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the cms.managepages,...

Double free

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers i.e. the server routes any request, regardless of the HOST header to an October CMS instance the potential exists for Host Header...

CVE-2020-26231 Bypass of fix for CVE-2020-15247, Twig sandbox escape

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 fixed in 1.0.469 and 1.1.0 was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.managepages, cms.managelayouts, or...

CVE-2020-15247

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.managepages, cms.managelayouts, or cms.managepartials permissions who would normally not be...

CVE-2020-15248

CVE-2020-15248 affects October CMS prior to 1.0.470 (and 1.0.470+ in 1.0 line), where backend users with the default Publisher role can create/manage users and assign roles, enabling privilege escalation to Developer. Root cause: insecure authorization in user-creation workflow allows escalation....

Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable

Drupal released a patch for a “highly critical” flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS...

Drupal Patches Critical Bug That Leaves Platform Open to XSS Attack

Drupal developers patched two critical vulnerabilities this week in versions 7 and 8 of its content management system platform. Overall, Drupal patched seven vulnerabilities including four rated moderately critical and two flaws rated less critical. The first of the critical flaws is a comment...