74cms - ajax_street.php 'key' SQL Injection

SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajaxstreet.php. id: CVE-2020-22211 info: name: 74cms - ajaxstreet.php 'key' SQL Injection author: ritikchaddha severity: critical description: | SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajaxstreet.php. impact: | Successf...

Monstra CMS 3.0.4 - Cross-Site Scripting

Monstra CMS 3.0.4 contains a cross-site scripting vulnerability via the page feature in admin/index.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials...

XXL-JOB v2.2.0 — Stored Cross Site Scripting

Multiple cross-site scripting XSS vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via 1 AppName and 2AddressList parameter in JobGroupController.java file. id: CVE-2020-23814 info: name: XXL-JOB v2.2.0 — Stored Cross Site Scripting author:...

Gridx 1.3 - Remote Code Execution

Gridx 1.3 is susceptible to remote code execution via tests/support/stores/testgridfilter.php, which allows remote attackers to execute arbitrary code via crafted values submitted to the $query parameter. id: CVE-2020-19625 info: name: Gridx 1.3 - Remote Code Execution author: geeknik severity:...

Quixplorer <=2.4.1 - Cross-Site Scripting

Quixplorer through 2.4.1 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can allow the attacker to steal cookie-based authentication credentials and launch other attacks. id:...

Fuel CMS 1.4.7 - SQL Injection

FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. id: CVE-2020-17463 info: name: Fuel CMS 1.4.7 - SQL Injection author: Thirukrishnan severity: critical description: | FUEL CMS 1.4.7 allows SQL Injection via the col parameter to...

HomeAutomation 3.3.2 - Open Redirect

HomeAutomation 3.3.2 contains a redirect vulnerability caused by improper verification of the 'redirect' GET parameter in 'api.php', letting attackers redirect users to arbitrary websites, exploit requires user interaction with a crafted link. id: CVE-2020-21998 info: name: HomeAutomation 3.3.2 -...

INTELBRAS TELEFONE IP TIP200 60.61.75.22 - Local File Inclusion

INTELBRAS TELEFONE IP TIP200 version 60.61.75.22 is vulnerable to information disclosure, allowing unauthenticated attackers to access sensitive device information and configuration data via a direct request to the /cgi-bin/exportsettings.sh endpoint. id: CVE-2020-24285 info: name: INTELBRAS...

Jeesns 1.4.2 - Cross-Site Scripting

Jeesns 1.4.2 is vulnerable to reflected cross-site scripting that allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the system error message's text field. id: CVE-2020-19282 info: name: Jeesns 1.4.2 - Cross-Site Scripting author: pikpikcu severity: medium...

DomainMOD 4.13.0 - Cross-Site Scripting

DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...

ZZcms - Cross-Site Scripting

ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. id: CVE-2020-20285 info: name: ZZcms -...

Suprema BioStar <2.8.2 - Local File Inclusion

Suprema BioStar before 2.8.2 Video Extension allows remote attackers can read arbitrary files from the server via local file inclusion. id: CVE-2020-15050 info: name: Suprema BioStar 2.8.2 - Local File Inclusion author: gy741 severity: high description: Suprema BioStar before 2.8.2 Video Extensio...

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

WordPress Workreap - Remote Code Execution

WordPress Workreap theme is susceptible to remote code execution. The AJAX actions workreapawardtempfileuploader and workreaptempfileuploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to th...

Odoo <= 15.0 - Cross-Site Scripting

A cross-site scripting XSS vulnerability in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote attackers to inject arbitrary web scripts into the browser of a victim via a crafted link. This issue could lead to the execution of malicious scripts in the context of t...

SysAid 20.4.74 - Cross-Site Scripting

SysAid 20.4.74 contains a reflected cross-site scripting vulnerability via the KeepAlive.jsp stamp parameter. id: CVE-2021-31862 info: name: SysAid 20.4.74 - Cross-Site Scripting author: jas37 severity: medium description: SysAid 20.4.74 contains a reflected cross-site scripting vulnerability via...

WordPress Paytm Donation <=1.3.2 - Authenticated SQL Injection

WordPress Paytm Donation plugin through 1.3.2 is susceptible to authenticated SQL injection. The plugin does not sanitize, validate, or escape the id GET parameter before using it in a SQL statement when deleting donations. An attacker can possibly obtain sensitive information, modify data, and/o...

GiveWP <= 2.9.7 - Cross-Site Scripting

GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress versions before 2.10.0 is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in the admin Donors page. id: CVE-2021-24213 info: name: GiveWP = 2.9.7 - Cross-Site Scripting author: Shivam Kamboj severity: medium...

WordPress Photo Gallery by 10Web <1.5.69 - Cross-Site Scripting

WordPress Photo Gallery by 10Web plugin before 1.5.69 contains multiple reflected cross-site scripting vulnerabilities via the galleryid, tag, albumid and themeid GET parameters passed to the bwgfrontenddata AJAX action, available to both unauthenticated and authenticated users. id: CVE-2021-2429...

Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution

Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view...