144 matches found
CVE-2021-25838
The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting XSS payload in file-upload...
CVE-2021-25838
MintHCM Release 3.0.8 contains an XSS vulnerability in the Import feature during file-upload. The issue arises from the Import functionality allowing an attacker to inject and execute JavaScript in uploaded content, enabling cross-site scripting. Impact is limited to XSS as described in multiple ...
CVE-2021-25838
The Import function in MintHCM RELEASE 3.0.8 allows an attacker to execute a cross-site scripting XSS payload in file-upload...
OpenMRS Input Validation Error Vulnerability (CNVD-2020-26250)
OpenMRS is an open source electronic medical record system from OpenMRS, Inc. in the United States. OpenMRS suffers from an input validation error vulnerability that stems from the import function of the data exchange module not properly redirecting to the login page. An attacker could exploit th...
WordPress ultimate-faqs plugin input validation error vulnerability
WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. ultimate-faqs is a FAQ plugin used in it. An input validation error vulnerability exists in the Functions/EWDUFAQImport.php file in...
CVE-2019-11677
The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity XXE Injection...
Snapchat: Server-Side Request Forgery using Javascript allows to exfill data from Google Metadata
Hey there, I was looking at your ads site with @daeken, we found some weird behavior in the import function of the creative app. Here are the steps: POC - Login to https://business.snapchat.com/ - Go to creative library - New Creative - Under "Topsnap Media", click on "Create" - Click on any of t...
OpenRefine XML External Entity Injection Vulnerability
OpenRefine is a standalone open source desktop application for data cleaning and converting data to other formats. An XML External Entity Injection XXE vulnerability exists in the data import function in OpenRefine versions 3.1 and earlier. The vulnerability can be exploited to read arbitrary fil...
CVE-2018-19404
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url=...
PHPOK Arbitrary File Upload Vulnerability
PHPOK is an enterprise building system that supports expansion. An arbitrary file upload vulnerability exists in the 'importf' function in the framework/admin/moduleccontrol.php file in PHPOK version 4.9.032. An attacker can exploit this vulnerability to upload arbitrary zip files...
Privilege escalation
PHPOK 4.9.032 has an arbitrary file upload vulnerability in the importf function in framework/admin/moduleccontrol.php, as demonstrated by uploading a .php file within a .php.zip archive, a similar issue to CVE-2018-8944...
Denial of Service Vulnerability in INVT Studio
INVT Studio is a serial and Ethernet based inverter monitoring system. A denial of service vulnerability exists in INVT Studio version 1.20 due to a failure to follow the specification for code behavior at the INVT Studio import function. An attacker can exploit this vulnerability to cause a deni...
PlaySMS Remote Code Execution Vulnerability (CNVD-2017-08174)
PlaySMS is a web-based SMS platform. The platform supports connectivity to SMS gateways, personal messaging systems, and corporate group communication tools. A remote code execution vulnerability exists in the import.php file a.k.a. phonebook import function in PlaySMS version 1.4. A remote...
PlaySMs Remote Code Execution Vulnerability (CNVD-2017-10344)
PlaySMS is an open source WEB SMS platform. A remote code execution vulnerability exists in PlaySms. The vulnerability stems from the address book calling a function in import.php. An attacker can exploit the vulnerability to execute malicious code...
PlaySMS 1.4 - import.php Remote Code Execution
PlaySMS 1.4 - import.php Remote Code Execution Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php Date: 21-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22...
From the patch compare to the PoC to reproduce it MS16-0 3 0-vulnerability warning-the black bar safety net
MS16-0 3 0 vulnerability MS16-0 3 0 vulnerabilities Windows OLE remote code execution vulnerability, since OLE does not have the correct validation of user input, causing by the special structure of the file or the program can trigger the vulnerability, causing the user to click on after the remo...
CVE-2016-0879
Moxa Secure Router EDR-G903 devices before 3.4.12 do not delete copies of configuration and log files after completing the import function, which allows remote attackers to obtain sensitive information by requesting these files at an unspecified URL...
CuuMall最新版任意文件包含
简要描述: CuuMall免费网上商城系统基于企业级MVC技术架构,安全、稳定,可保证同时在线人数达10000人左右,能适应不同领域的公司企业,文件缓存机制、数据库缓存机制,保证系统稳定运行,多种功能以满足不同客户网上开店的需求。 详细说明: //执行应用程序 static public function exec // 是否开启标签扩展 $tagOn = C'APPPLUGINON'; // 项目运行标签 if$tagOn tag'apprun'; //创建Action控制器实例 $group = defined'GROUPNAME' ? GROUPNAME.C'APPGROUPDEP...
Windows Mail Rogue Program.exe Execution
Hi @ll, the import function of Windows Mail executes a rogue program C:\Program.exe with the credentials of another account, resulting in a privilege escalation! 1. Fetch and save it as C:\Program.exe 2. Start Windows Mail part of Windows Vista and Windows Server 2008 3. On the File menu, click...
Debian DSA-2975-1 : phpmyadmin - security update
Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-4995 Authenticated users could inject arbitrary web script or HTML via a crafted SQL query. -...