2467323 matches found
Admidio - Cross-Site Scripting
A cross-site scripting vulnerability is present in Admidio prior to version 4.0.12. The reflected cross-site scripting vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Through this vulnerability, an attacker is capable to execute malicious...
Pie Register < 3.7.1.6 - SQL Injection
The Registration Forms User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. id:...
Erxes <0.23.0 - Cross-Site Scripting
Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag. id: CVE-2021-32853 info: name: Erxes 0.23.0 - Cross-Site Scripting author: dwisiswant0 severity: critical description: Erxes before 0.23.0...
WordPress ProfilePress 3.0-3.1.3 - Arbitrary File Upload
A vulnerability in the file uploader component found in the /src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. id: CVE-2021-3462...
Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. id: CVE-2021-42071 info: name: Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection author: gy741 severity: critical description: Visual...
Triconsole Datepicker Calendar <3.77 - Cross-Site Scripting
Triconsole Datepicker Calendar before 3.77 contains a cross-site scripting vulnerability in calendarform.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents. id:...
Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload
TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats. id: CVE-2021-45428 info: name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Upload author: gy741 severity: critical descriptio...
Apache Struts2 S2-008 RCE
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. id: CVE-2012-0392 info: name: Apache...
WordPress Plugin Download Monitor < 3.3.5.9 - Cross-Site Scripting
A cross-site scripting vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. id: CVE-2012-4768 info: name: WordPress Plugin Download Monitor 3.3.5.9 - Cross-Site...
FlatnuX CMS - Directory Traversal
A path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action. id: CVE-2012-4878 info: name: FlatnuX CMS - Directory Traversal author: daffainfo severity:...
Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access
An absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. id: CVE-2012-0896 info: name: Count Per Day = 3.1 - download.php f Parameter Traversal Arbitrary File Access author:...
PuneethReddyHC Online Shopping System homeaction.php SQL Injection
An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php catid parameter. Using a post request does not sanitize the user input. id: CVE-2021-41649 info: name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection...
Caucho Resin >=4.0.52 <=4.0.56 - Directory traversal
There is a Directory traversal vulnerability in Caucho Resin, as distributed in Resin 4.0.52 - 4.0.56, which allows remote attackers to read files in arbitrary directories via a ; in a pathname within an HTTP request. id: CVE-2021-44138 info: name: Caucho Resin =4.0.52 =4.0.56 - Directory travers...
Joomla! ChronoForums 2.0.11 - Local File Inclusion
Joomla! ChronoForums 2.0.11 avatar function is vulnerable to local file inclusion through unauthenticated path traversal attacks. This enables an attacker to read arbitrary files, for example the Joomla! configuration file which contains credentials. id: CVE-2021-28377 info: name: Joomla!...
WordPress ProfilePress <= 3.1.3 - Privilege Escalation
ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including wpcapabilities, during profile updates. This enables a user to escalate their privileges to...
Thruk 2.40-2 - Cross-Site Scripting
Thruk 2.40-2 contains a cross-site scripting vulnerability via /thruk/cgi-bin/status.cgi?style=combined&title=TITLE in the host or title parameter. An attacker can inject arbitrary JavaScript into status.cgi, leading to a triggered payload when accessed by an authenticated user. id: CVE-2021-3548...
Eclipse BIRT Viewer - Remote Code Execution
Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters. id: CVE-2021-34427 info: name: Eclipse BIRT Viewer - Remote Code...
WordPress WPCargo Track & Trace <6.9.0 - Remote Code Execution
WordPress WPCargo Track & Trace plugin before 6.9.0 is susceptible to remote code execution, The plugin contains a file which can allow an attacker to write a PHP file anywhere on the web server, leading to possible remote code execution. This can allow an attacker to execute malware, obtain...
WP-FaceThumb 0.1 - Cross-Site Scripting
A cross-site scripting vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the paginationwpfacethumb parameter. id: CVE-2012-2371 info: name: WP-FaceThumb 0.1 - Cross-Site Scripting author: daffainfo severity:...
WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting
A cross-site scripting vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. id: CVE-2012-4242 info: name: WordPress Plugin MF Gig Calendar 0.9.2 - Cross-Site Scripting author:...