8225 matches found
CVE-2019-18626
Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social...
CVE-2019-18626
Harris Ormed Self Service before 2019.1.4 allows an authenticated user to view W-2 forms belonging to other users via an arbitrary empNo value to the ORMEDMIS/Data/PY/T4W2Service.svc/RetrieveW2EntriesForEmployee URI, thus exposing sensitive information including employee tax information, social...
WordPress pricing-table-by-supsystic insecure permissions vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security issue exists in WordPress pricing-table-by-supsystic prior to version 1.8.2, which stems from the...
Cross site scripting
A number of stored Cross-site Scripting XSS vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through web application form inputs...
rails_admin ruby gem XSS vulnerability
RailsAdmin aka railsadmin before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms...
CVE-2020-6205
SAP NetWeaver AS ABAP Business Server Pages Smart Forms, SAPBASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content...
CVE-2020-6205
SAP NetWeaver AS ABAP Business Server Pages Smart Forms, SAPBASIS versions- 7.00, 7.01, 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54; does not sufficiently encode user controlled inputs, allowing an unauthenticated attacker to non-permanently deface or modify displayed content...
CVE-2020-6205
SAP NetWeaver AS ABAP Business Server Pages (Smart Forms) is affected across SAP BASIS versions 7.00–7.54 due to insufficient encoding of user-controlled inputs, enabling unauthenticated users to perform a Reflected Cross-Site Scripting (XSS) that can deface content, steal user credentials, imper...
PT-2020-19006 · Sap · Sap Netweaver As Abap +1
Name of the Vulnerable Software and Affected Versions: SAP NetWeaver AS ABAP Business Server Pages Smart Forms, SAP BASIS versions 7.00 through 7.54 Description: The issue arises from insufficient encoding of user-controlled inputs, allowing an unauthenticated attacker to non-permanently deface o...
PT-2020-15370 · Jenkins · Jenkins Backlog Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Backlog Plugin versions 2.4 and earlier Description: The issue concerns the transmission of configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. Credentials are stored...
CVE-2020-9457
The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users with minimal privileges to import custom vulnerable forms and change form settings via classrmformsettingscontroller.php, resulting in privilege escalation...
CVE-2020-9457
The RegistrationMagic plugin through 4.6.0.3 for WordPress allows remote authenticated users with minimal privileges to import custom vulnerable forms and change form settings via classrmformsettingscontroller.php, resulting in privilege escalation...
Improper access control
A Broken Access Control vulnerability in the D-Link DSL-2680 web administration interface Firmware EU1.03 allows an attacker to enable or disable MAC address filtering by submitting a crafted Forms/WlanMacFilter1 POST request without being authenticated on the admin interface...
CVE-2019-19226
CVE-2019-19226 affects D-Link DSL-2680 (Firmware EU_1.03) web administration. A Broken Access Control flaw in the Forms/WlanMacFilter_1 POST handling allows an unauthenticated attacker to enable/disable MAC address filtering. The root cause is improper access restrictions on the MAC-filter config...
CVE-2019-19222
A Stored XSS issue in the D-Link DSL-2680 web administration interface Firmware EU1.03 allows an authenticated attacker to inject arbitrary JavaScript code into the info.html administration page by sending a crafted Forms/wirelessautonetwork1 POST request...
PT-2020-10104 · D Link · D-Link Dsl-2680
Name of the Vulnerable Software and Affected Versions: D-Link DSL-2680 version EU 1.03 Description: A Broken Access Control issue in the web administration interface allows an attacker to change DNS servers without authentication by submitting a crafted Forms/dns 1 POST request. Recommendations:...
CVE-2019-19987
An issue was discovered in Selesta Visual Access Manager VAM 4.15.0 through 4.29. It allows Cross-Site Request Forgery CSRF on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, add user, add privilege, and so on...
Cross site request forgery (csrf)
An issue was discovered in Selesta Visual Access Manager VAM 4.15.0 through 4.29. It allows Cross-Site Request Forgery CSRF on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, add user, add privilege, and so on...
CVE-2019-19987
An issue was discovered in Selesta Visual Access Manager VAM 4.15.0 through 4.29. It allows Cross-Site Request Forgery CSRF on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, add user, add privilege, and so on...
WordPress Easy Forms for Mailchimp plugin <= 6.6.2 - Authenticated Cross-Site Scripting (XSS) vulnerability
Authenticated Cross-Site Scripting XSS vulnerability discovered in WordPress Easy Forms for Mailchimp plugin versions = 6.6.2. Solution Update the WordPress Easy Forms for Mailchimp plugin to the latest available version at least 6.6.3...