5078 matches found
CVE-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
Design/Logic Flaw
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...
Cross site scripting
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
CVE-2022-38844
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system...
CVE-2022-38844
EspoCRM 7.1.8 is affected by a CSV injection vulnerability in Create Contacts, enabling remote authenticated users to execute system commands by crafting payloads in CSV exports (e.g., when an admin exports contacts). Root cause: CSV injection in the contact creation/CSV export flow. Impact: pote...
CVE-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...
CVE-2022-38845
CVE-2022-38845 affects EspoCRM 7.1.8, where an attacker can trigger Cross-Site Scripting via the Import feature by sending a crafted CSV containing malicious JavaScript. This requires an authenticated user to import the file, potentially causing the browser to execute injected scripts. Red Hat an...
CVE-2022-1194
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...
CVE-2022-1194
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...
CVE-2022-1194
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...
CVE-2022-2798
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...
CVE-2022-2798
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...
CVE-2022-2798
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...
Input validation
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...
Input validation
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...
CVE-2022-2798
CVE-2022-2798 affects the WordPress plugin Affiliates Manager prior to 2.9.14. The vulnerability arises because the plugin does not validate or sanitize affiliate data, enabling CSV injection when admins export affiliates via the CSV export function. This could allow an attacker registering as an...
CVE-2022-2798 Affiliates Manager < 2.9.14 - Affiliate CSV Injection
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data...
CVE-2022-1194 Mobile Events Manager < 1.4.8 - Admin+ CSV Injection
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability...
CVE-2022-1194
The CVE-2022-1194 entry describes a CSV injection vulnerability in the Mobile Events Manager WordPress plugin prior to version 1.4.8. The issue arises because the plugin does not properly escape the Enquiry source field when exporting events or the Paid for field when exporting transactions to CS...
WordPress plugin Mobile Events Manager 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A security vulnerability exists in the WordPress...