14 matches found
CVE-2021-24845
The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to...
CVE-2021-24845
The CVE refers to the WordPress plugin Improved Include Page, version
CVE-2021-24845 Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to...
WordPress plugin Improved Include Page 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to. include-page allowtype="post" allowstatus="draft" id="131" include-page...
WordPress Improved Include Page plugin <= 1.2 - Arbitrary Posts/Pages Access vulnerability
Arbitrary Posts/Pages Access vulnerability discovered by Francesco Carlucci in WordPress Improved Include Page plugin versions = 1.2. Solution Deactivate and delete. This plugin has been closed as of October 8, 2021 and is not available for download. This closure is temporary, pending a full revi...
Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
The plugin allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to. PoC include-page allowtype="post" allowstatus="draft" id="131"...
ZYCHCMS V03 '/include/page.asp' file has an arbitrary directory traversal vulnerability
ZYCHCMS is an enterprise website management system. An arbitrary directory traversal vulnerability exists in the ZYCHCMS V03 '/include/page.asp' file. This allows an attacker to traverse directories and view sensitive directory and file information...
ZYCHCMS V03 Arbitrary File Write Vulnerability in '/include/page.asp' File
ZYCHCMS is an enterprise website management system. ZYCHCMS V03 '/include/page.asp' file contains an arbitrary file write vulnerability. The vulnerability allows attackers to write scripts to arbitrary files to gain server privileges...
ZYCHCMS V04 Arbitrary File Write Vulnerability in /include/page.asp File
ZYCHCMS is an enterprise website management system. An arbitrary file write vulnerability exists in the ZYCHCMS V04 /include/page.asp file. The vulnerability allows attackers to write scripts to arbitrary files to gain server privileges...
CVE-2017-7897
A cross-site scripting XSS vulnerability in the MantisBT 2.3.x before 2.3.2 Timeline include page, used in My View myviewpage.php and User Information viewuserpage.php pages, allows remote attackers to inject arbitrary code if CSP settings permit it through crafted PATHINFO in a URL, due to use o...
Cross site scripting
A cross-site scripting XSS vulnerability in the MantisBT 2.3.x before 2.3.2 Timeline include page, used in My View myviewpage.php and User Information viewuserpage.php pages, allows remote attackers to inject arbitrary code if CSP settings permit it through crafted PATHINFO in a URL, due to use o...
Atlassian Confluence 2.x >= 2.7 / 3.x < 3.4.9 Multiple XSS
According to its self-reported version number, the instance of Atlassian Confluence on the remote host is a 2.x version that is 2.7 or later, or else version 3.x prior to 3.4.9. It is, therefore, affected by multiple cross-site scripting vulnerabilities. Errors in the validation of input data to...
PT-2008-3301 · Blogator · Blogator-Script
Name of the Vulnerable Software and Affected Versions: Blogator-script version 1.0 Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the incl page parameter in several PHP files, including struct admin.php, struct admin blog.php, and struct main.php in the...