5078 matches found
CVE-2020-11548
The CVE-2020-11548 entry concerns the WordPress Search Meter plugin (versions up to 2.13.2). The vulnerability stems from accepting user input in the search bar that can be treated as a formula, enabling remote code execution via CSV injection when performing a wp-admin/index.php?page=search-mete...
Fedora: Security Advisory for phpMyAdmin (FEDORA-2020-25f3aea389)
The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
WordPress CSV Injection Vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An injection vulnerability exists in WordPress Auth0 prior to version 4.0.0, which results from the program no...
CVE-2020-7947
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data...
CVE-2020-7947
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data...
Input validation
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data...
CVE-2020-7947
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data...
CVE-2020-7947
The CVE-2020-7947 issue affects the WordPress plugin Login by Auth0 prior to 4.0.0. The vulnerability stems from data fields being populated from multiple sources without sanitization or input validation before exporting user data, enabling CSV injection via a crafted Excel document. Public refer...
Login by Auth0 < 4.0.0 - Multiple Vulnerabilities
CVE-2020-5391 - CSRF controls missing for domain field CVE-2020-5392 - Stored XSS in Settings page CVE-2020-6753 - Stored XSS in multiple pages CVE-2020-7947 - CSV injection vulnerabilities CVE-2020-7948 - Insecure direct object reference...
Horde 5.2.22 CSV Import Code Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Horde CSV import arbitrary PHP code execution', 'Description' = %q The HordeData module version 2.1.4 and before present in Horde Groupware versi...
CVE-2019-19676
A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other...
CVE-2019-19676
A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other...
Input validation
A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other...
CVE-2019-19676
A CSV injection in arxes-tolina 3.0.0 allows malicious users to gain remote control of other computers. By entering formula code in the following columns: Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, and Bemerkung, an attacker can create a user with a name that contains malicious code. Other...
CVE-2019-19676
CVE-2019-19676 affects arxes-tolina 3.0.0. The issue is CSV injection: if an attacker supplies data containing formula code in columns Kundennummer, Firma, Street, PLZ, Ort, Zahlziel, or Bemerkung, a malicious user can create a name containing code that may be exploited when the data is saved/ope...
CVE-2020-9347
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external...
CVE-2020-9347
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external...
CVE-2020-9347
Zoho ManageEngine Password Manager Pro (versions up to 10.x; vendor notes no CSV constraints planned) contains a CSV Excel Macro Injection vulnerability. The issue arises when a crafted name is mishandled by the Export Passwords feature, enabling potential macro injection via CSV exports. Red Hat...
Newsletter < 6.5.4 - CSV Injection
A CSV Injection vulnerability was discovered in Wordpress Newsletter plugin. It allows a user with low level privileges or no privileges to inject a command in subscription form that will be included in the exported CSV file, leading to possible code execution...
Horde CSV import arbitrary PHP code execution
The HordeData module version 2.1.4 and before present in Horde Groupware version 5.2.22 allows authenticated users to inject arbitrary PHP code thus achieving RCE on the server hosting the web application. This module requires Metasploit: https://metasploit.com/download Current source:...