CVE-2019-15053

The CVE-2019-15053 issue affects the HTML Include and replace macro plugin for Confluence Server (pre-1.5.0). A bypass of the includeScripts=false XSS protection via an IFRAME vector is documented, enabling cross-site scripting. Connected sources show a public exploit draft and vendor advisories ...

TeamPass <= 2.1.27.36 Multiple XSS Vulnerabilities

TeamPass is prone to multiple cross-site scripting XSS vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2018-20949

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor SEC-385...

CVE-2016-10828

cPanel before 55.9999.141 allows arbitrary code execution because of an unsafe @INC path SEC-97...

CVE-2018-20949

cPanel before 68.0.27 allows self XSS in WHM Apache Configuration Include Editor SEC-385...

CVE-2016-10837

cPanel before 11.54.0.4 allows arbitrary code execution because of an unsafe @INC path SEC-46...

CVE-2019-13396

FlightPath 4.x and 5.0-x allows directory traversal and Local File Inclusion through the forminclude parameter in an index.php?q=system-handle-form-submit POST request because of an includeonce in systemhandleformsubmit in modules/system/system.module...

[SECURITY] [DLA 1823-1] linux security update

Package : linux Version : 3.16.68-2 CVE ID : CVE-2019-3846 CVE-2019-5489 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11810 CVE-2019-11833 CVE-2019-11884 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of...

picketlink: URL injection via xinclude parameter

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...

The vulnerability of the CUPS printing server, related to authentication errors, allows a perpetrator to gain access to confidential data.

The vulnerability of the CUPS printing server is related to the improper handling of certain include directives. This allows unprivileged users to gain access to and read arbitrary files from the superuser’s perspective. Exploiting this vulnerability enables a perpetrator to gain access to...

PT-2019-4683 · Apache +3 · Apache Tomcat +3

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 7.0.0 through 7.0.93 Apache Tomcat versions 8.5.0 through 8.5.39 Apache Tomcat versions 9.0.0.M1 through 9.0.0.17 Description: The issue is related to the SSI printenv command in Apache Tomcat, which echoes user-provide...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2019-10647

ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source parameter because of a lack of inc/zzzfile.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if th...

CVE-2019-9829

Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/defaultpc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates...

Design/Logic Flaw

Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/defaultpc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates...

CVE-2019-9829

Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/defaultpc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates...

Ultimate Membership Pro 7.4.2 <= 7.5 - Arbitrary media include

In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on 7.4.2+ at least to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the...

Ultimate Membership Pro 7.4.2 <= 7.5 - Arbitrary media include

In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on 7.4.2+ at least to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the...

CVE-2019-7678

A directory traversal vulnerability was discovered in Enphase Envoy R3.. via images/, include/, include/js, or include/css on TCP port 8888...

CVE-2019-7402

An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfgqqcode parameter. This can be exploited via CSRF...