18 matches found
Apache Wicket has a Path Traversal issue
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...
CVE-2026-43975
FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...
CVE-2026-43975
CVE-2026-43975 affects Apache Wicket via the FolderUploadsFileManager, which fails to validate or sanitize the uploadFieldId parameter or the clientFileName when constructing file paths. This can let an unauthenticated attacker write files outside the intended upload directory or read files from ...
Apache Wicket 路径遍历漏洞
Apache Wicket is an open-source, lightweight, component-based framework developed by the Apache Foundation in the United States. It provides an object-oriented approach for developing web-based dynamic UI applications. Versions 8.0.0 to 8.17.0, 9.0.0 to 9.22.0, and 10.0.0 to 10.8.0 of Apache Wick...
CVE-2025-6251
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item'fieldid' in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
EUVD-2025-198115
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item'fieldid' in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2025-6251
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item'fieldid' in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
PT-2025-47425
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item'field id' in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
EUVD-2022-47872
Malicious code in bioql PyPI...
CVE-2025-41043
A vulnerability has been discovered in appRain CMF version 4.0.5, consisting of a stored authenticated XSS due to a lack of proper validation of user input, through the 'dataAppReportCodeid' and 'dataAppReportCodename' parameters in /apprain/appreport/manage/...
CVE-2022-44945
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the headingfieldid parameter...
CVE-2022-44945
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the headingfieldid parameter...
PT-2022-27344 · Unknown · Rukovoditel
Name of the Vulnerable Software and Affected Versions: Rukovoditel version 3.2.1 Description: A SQL injection issue was discovered via the heading field id parameter. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world...
Rukovoditel SQL注入漏洞
Rukovoditel is a set of Web-based open source project management software from the Rukovoditel team. The software features project management, customer relationship management, and more. Rukovoditel v3.2.1 version of a security vulnerability , the vulnerability stems from through the headingfield...
Product Show Room Site SQL注入漏洞
Product Show Room Site is a product showroom site from Carlo Montero's personal developer. version 1.0 of Product Show Room Site is vulnerable to a SQL injection vulnerability that originates in /psrs/admin/fields/managefield.php?id=page. SQL injection problem, an attacker can use this...
CVE-2020-13588
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The headingfieldid parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this...
PT-2021-9654 · Unknown · Rukovoditel Project Management App
Name of the Vulnerable Software and Affected Versions: Rukovoditel Project Management App version 2.7.2 Description: An exploitable SQL injection issue exists in the 'entities/fields' page. The heading field id parameter in this page is vulnerable to authenticated SQL injection. An attacker can...
CVE-2016-10710
Biscom Secure File Transfer SFT 5.0.1000 through 5.0.1048 does not validate the dataFieldId value, and uses sequential numbers, which allows remote authenticated users to overwrite or read files via crafted requests. Version 5.0.1050 contains the fix...