3531 matches found
CVE-2020-13868
An issue was discovered in the Comments plugin before 1.5.5 for Craft CMS. CSRF affects comment integrity...
CVE-2012-3473
The 1 reports API and 2 administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions...
CVE-2012-4007
The mixi application before 4.3.0 for Android allows remote attackers to read potentially sensitive information in friends' comments via a crafted application that leverages the storage of these comments on an SD card...
CVE-2019-15734
An issue was discovered in GitLab Community and Enterprise Edition 8.6 through 12.2.1. Under very specific conditions, commit titles and team member comments could become viewable to users who did not have permission to access these...
CVE-2019-25011
NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments...
CVE-2019-7587
Bo-blog Wind through 1.6.0-r allows SQL Injection via the admin.php/comments/batchdel/ comID parameter because this parameter is mishandled in the mode/admin.mode.php delBlockedBatch function...
CVE-2019-6995
An issue was discovered in GitLab Community and Enterprise Edition 8.x, 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Incorrect Access Control. Users are able to comment on locked project issues...
CVE-2019-17583
idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service resource consumption via a query for many comments, as demonstrated by the admincp.php?app=comment= substring followed by a large positive integer...
CVE-2019-16665
An issue was discovered in ThinkSAAS 2.91. There is XSS via the content to the index.php?app=group∾=comment=do=1 URI, as demonstrated by a crafted SVG document in the SRC attribute of an EMBED element...
CVE-2019-11548
An issue was discovered in GitLab Community and Enterprise Edition before 11.8.9. It has Incorrect Access Control. Unprivileged members of a project are able to post comments on confidential issues through an authorization issue in the note endpoint...
CVE-2019-7944
A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Retur...
CVE-2019-5472
An authorization issue was discovered in Gitlab versions 12.1.2, 12.0.4, and 11.11.6 that prevented owners and maintainer to delete epic comments...
CVE-2018-16622
Multiple cross-site scripting XSS vulnerabilities in /api/content/addOne in DoraCMS v2.0.3 allow remote attackers to inject arbitrary web script or HTML via the 1 discription or 2 comments field, related to users/userAddContent...
CVE-2014-10382
The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment...
CVE-2010-4357
SQL injection vulnerability in comments.php in SiteEngine 7.1 allows remote attackers to execute arbitrary SQL commands via the module parameter...
CVE-2010-4516
Multiple cross-site scripting XSS vulnerabilities in the JXtended Comments component before 1.3.1 for Joomla allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2019-15593
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments...
CVE-2013-7233
Cross-site request forgery CSRF vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list...
CVE-2012-6102
lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments aka feedback comments of arbitrary users via a crafted URI...
CVE-2012-5872
ARC aka ARC2 through 2011-12-01 allows blind SQL Injection in getTriplePatternSQL in ARC2StoreSelectQueryHandler.php via comments in a SPARQL WHERE clause...