Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reportsconfig permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...

EUVD-2010-4697

Malware in sbrugna...

CVE-2025-7045 Cloud SAML SSO <= 1.0.19 - Missing Authorization to Unauthenticated Identity Provider Deletion via delete_config Action

The Cloud SAML SSO plugin for WordPress is vulnerable to Identity Provider Deletion due to a missing capability check on the deleteconfig action of the cssohandleactions function in all versions up to, and including, 1.0.19. This makes it possible for unauthenticated attackers to delete any...

GHSA-3G8J-JJ54-3VJG Apache Struts is vulnerable to Cross-site Scripting

Multiple cross-site scripting XSS vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to 1 actionNames.action and 2 showConfig.action in config-browser/...

CVE-2018-19507

CMSimple 4.7.5 has XSS via an admin's use of a ?file=config&action=array URI...

CVE-2018-19507

CMSimple 4.7.5 has XSS via an admin's use of a ?file=config&action=array URI...

CVE-2017-11679

Cross-Site Request Forgery CSRF exists in Hashtopus 1.5g via the password parameter to admin.php in an a=config action...

CVE-2015-4659

Cross-site request forgery CSRF vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php...