McAfee ePolicy Orchestrator <5.10.9 Update 9 - Cross-Site Scripting

McAfee ePolicy Orchestrator before 5.10.9 Update 9 is vulnerable to a cross-site scripting vulnerability that allows administrators to inject arbitrary web script or HTML via multiple parameters where the administrator's entries were not correctly sanitized. reference: -...

WordPress Ultimate FAQ <1.8.30 - Cross-Site Scripting

WordPress Ultimate FAQ plugin before 1.8.30 is susceptible to cross-site scripting via DisplayFAQ to Shortcodes/DisplayFAQs.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

Kyocera Printer d-COPIA253MF - Directory Traversal

Kyocera Printer d-COPIA253MF plus is susceptible to a directory traversal vulnerability which could allow an attacker to retrieve or view arbitrary files from the affected server. id: CVE-2020-23575 info: name: Kyocera Printer d-COPIA253MF - Directory Traversal author: 0xAkoko severity: high...

74cms - ajax_street.php 'key' SQL Injection

SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajaxstreet.php. id: CVE-2020-22211 info: name: 74cms - ajaxstreet.php 'key' SQL Injection author: ritikchaddha severity: critical description: | SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajaxstreet.php. impact: | Successf...

Apache OFBiz <=16.11.07 - Cross-Site Scripting

Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized. id: CVE-2020-1943 info: name: Apache OFBiz =16.11.07 - Cross-Site Scripting author: pdteam severity: medium description: Apache OFBiz 16.11.01 to 16.11.07 ...

Microweber <1.1.20 - Information Disclosure

Microweber before 1.1.20 is susceptible to information disclosure via userfiles/modules/users/controller/controller.php. An attacker can disclose the users database via a /modules/ POST request and thus potentially access sensitive information, modify data, and/or execute unauthorized operations...

Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal

A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit...

Micro Focus Operations Bridge Manager <=2020.05 - Remote Code Execution

Micro Focus Operations Bridge Manager in versions 2020.05 and below is vulnerable to remote code execution via UCMDB. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Data Center Automation. An attack requires network access and authentication as a...

Apache ActiveMQ <=5.15.5 - Cross-Site Scripting

Apache ActiveMQ versions 5.0.0 to 5.15.5 are vulnerable to cross-site scripting via the web based administration console on the queue.jsp page. The root cause of this issue is improper data filtering of the QueueFilter parameter. id: CVE-2018-8006 info: name: Apache ActiveMQ =5.15.5 - Cross-Site...

Atlassian Jira Server-Side Template Injection

Jira Server and Data Center is susceptible to a server-side template injection vulnerability via the ContactAdministrators and SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and...

BlogEngine.NET 3.3.7.0 - Local File Inclusion

BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the path parameter id: CVE-2019-10717 info: name: BlogEngine.NET 3.3.7.0 - Local File Inclusion author: arafatansari severity: high description: | BlogEngine.NET 3.3.7.0 allows /api/filemanager local file inclusion via the pa...

Joomla! Jtag Members Directory 5.3.7 - Local File Inclusion

Joomla! Jtag Members Directory 5.3.7 is vulnerable to local file inclusion via the downloadfile parameter. id: CVE-2018-6008 info: name: Joomla! Jtag Members Directory 5.3.7 - Local File Inclusion author: daffainfo severity: high description: Joomla! Jtag Members Directory 5.3.7 is vulnerable to...

Oracle Fusion Middleware WebCenter Sites - Cross-Site Scripting

The Oracle WebCenter Sites component of Oracle Fusion Middleware is susceptible to multiple instances of cross-site scripting that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebCenter Sites. Impacted versions that are affected are 11.1.1.8.0, 12.2.1.2....

SugarCRM 3.5.1 - Cross-Site Scripting

SugarCRM 3.5.1 is vulnerable to cross-site scripting via phprint.php and a parameter name in the query string aka a $key variable. id: CVE-2018-5715 info: name: SugarCRM 3.5.1 - Cross-Site Scripting author: edoardottt severity: medium description: SugarCRM 3.5.1 is vulnerable to cross-site...

L-Soft LISTSERV <16.5-2018a - Cross-Site Scripting

L-Soft LISTSERV before 16.5-2018a contains a reflected cross-site scripting vulnerability via the /scripts/wa.exe OK parameter. id: CVE-2019-15501 info: name: L-Soft LISTSERV 16.5-2018a - Cross-Site Scripting author: LogicalHunter,arafatansari severity: medium description: | L-Soft LISTSERV befor...

PilusCart <=1.4.1 - Local File Inclusion

PilusCart versions 1.4.1 and prior suffer from a file disclosure vulnerability via local file inclusion. id: CVE-2019-16123 info: name: PilusCart =1.4.2 or apply the vendor-supplied patch to mitigate the LFI vulnerability. reference: -...

WordPress Sell Media 2.4.1 - Cross-Site Scripting

WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter aka $searchterm or the Search field. id: CVE-2019-6112 info: name: WordPress Sell Media 2.4.1 -...

Aptana Jaxer 1.0.3.4547 - Local File inclusion

Aptana Jaxer 1.0.3.4547 is vulnerable to local file inclusion in the wikilite source code viewer. An attacker can read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI. id: CVE-2019-14312 info: name: Aptana Jaxer 1.0.3.4547 - Local File inclusion author: daffainfo...

YzmCMS v3.6 - Cross-Site Scripting

In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. id: CVE-2018-7653 info: name: YzmCMS v3.6 - Cross-Site Scripting author: ritikchaddha severity: medium description: In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. impact: | Attackers can execute arbitrary JavaScript in...

Custom 404 Pro < 3.2.8 - Cross-Site Scripting

Custom 404 Pro before 3.2.9 is susceptible to cross-site scripting via the title parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to...