aiohttp - Directory Traversal

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

Qualitor <= 8.24 - Remote Code Execution

Qualitor up to 8.24 is vulnerable to Remote Code Execution RCE via Arbitrary File Upload in checkAcesso.php. id: CVE-2024-44849 info: name: Qualitor = 8.24 - Remote Code Execution author: s4e-io severity: critical description: | Qualitor up to 8.24 is vulnerable to Remote Code Execution RCE via...

WordPress Collapsing Categories <= 3.0.8 - SQL Injection

Collapsing Categories plugin for WordPress = 3.0.8 contains a sqlinjection caused by insufficient escaping of 'taxonomy' parameter in /wp-json/collapsing-categories/v1/get REST API, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'taxonomy'...

Tube Video Ads Lite - Reflected XSS

Tube Video Ads Lite WordPress plugin = 1.5.7 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craf...

WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion

The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. id: CVE-2024-6460 info:...

WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution

The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode...

Ganglia Web Interface (v3.7.3 - v3.7.6) - Cross-Site Scripting

A cross-site scripting XSS vulnerability in the component /master/header.php of Ganglia-web v3.73 to v3.76 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "tz" parameter. id: CVE-2024-52762 info: name: Ganglia Web Interface v3.7.3 - v3.7.6 -...

Seagate BlackArmor NAS - Command Injection

Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the authname parameter to localhost/backupmgmt/preconnectcheck.php. id: CVE-2014-3206 info: name: Seagate BlackArmor NAS - Command Injection author: gy741...

phpPgAdmin <=4.2.1 - Local File Inclusion

phpPgAdmin 4.2.1 is vulnerable to local file inclusion in libraries/lib.inc.php when register globals is enabled. Remote attackers can read arbitrary files via a .. dot dot in the language parameter to index.php. id: CVE-2008-5587 info: name: phpPgAdmin =4.2.1 - Local File Inclusion author:...

SiYuan <= v3.6.1 - Bookmark Data Disclosure

SiYuan v3.6.2 contains an information disclosure vulnerability caused by improper authorization checks in the publish service's bookmark filtering, letting unauthenticated visitors access bookmarked blocks from password-protected documents, exploit requires access to the publish service. id:...

WP-FaceThumb 0.1 - Cross-Site Scripting

A cross-site scripting vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the paginationwpfacethumb parameter. id: CVE-2012-2371 info: name: WP-FaceThumb 0.1 - Cross-Site Scripting author: daffainfo severity:...

Joomla! ionFiles 4.4.2 - Local File Inclusion

Joomla! ionFiles 4.4.2 is susceptible to local file inclusion in download.php in the ionFiles comionfiles that allows remote attackers to read arbitrary files via a .. dot dot in the file parameter. id: CVE-2008-6080 info: name: Joomla! ionFiles 4.4.2 - Local File Inclusion author: daffainfo...

kkFileView 4.1.0 - Cross-Site Scripting

kkFileView 4.1.0 contains multiple cross-site scripting vulnerabilities via the errorMsg parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and...

Apache Unomi <1.5.2 - Remote Code Execution

Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process. This vulnerability affects all versions of Apache Unomi prior to 1.5.2. id:...

ffay lanproxy Directory Traversal

ffay lanproxy 0.1 is susceptible to a directory traversal vulnerability that could let attackers read /../conf/config.properties to obtain credentials for a connection to the intranet. id: CVE-2021-3019 info: name: ffay lanproxy Directory Traversal author: pikpikcu severity: high description: ffa...

Ricoh Web Image Monitor - Reflected XSS

A reflected cross-site scripting vulnerability exists in the laser printers and MFPs multifunction printers which implement Ricoh Web Image Monitor. If exploited, an arbitrary script may be executed on the web browser of the user who accessed Web Image Monitor. id: CVE-2025-41393 info: name: Rico...

Apache httpd <=2.4.29 - Arbitrary File Upload

Apache httpd 2.4.0 to 2.4.29 is susceptible to arbitrary file upload vulnerabilities via the expression specified in , which could match '$' to a newline character in a malicious filename rather than matching only the end of the filename. This could be exploited in environments where uploads of...

SolarWinds Serv-U 15.3 - Directory Traversal

SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id:...

Social Login by BestWebSoft < 0.2 - Cross-Site Scripting

The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues. id: CVE-2017-18501 info: name: Social Login by BestWebSoft 0.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues...

WordPress Admin Font Editor <=1.8 - Cross-Site Scripting

WordPress Admin Font Editor plugin indexisto 1.8 and before contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...