Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access

The plugin allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue. insert page='pageslug' display='all' Where pagesl...

WordPress Insert Pages plugin <= 3.6.1 - Stored Cross-Site Scripting (XSS) vulnerability

Stored Cross-Site Scripting XSS vulnerability discovered by Francesco Carlucci in WordPress Insert Pages plugin versions = 3.6.1. Solution Update the WordPress Insert Pages plugin to the latest available version at least 3.7.0...

Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access

The plugin allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue. PoC insert page='pageslug' display='all' Where...

DEBIAN-CVE-2021-32028

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality...

ALPINE-CVE-2021-32028

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality...

CVE-2021-32028

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality...

CVE-2021-32028

CVE-2021-32028 affects PostgreSQL families across multiple Linux distributions. A flaw lets an authenticated database user read arbitrary bytes from server memory by abusing an INSERT ... ON CONFLICT ... DO UPDATE on a crafted table, impacting data confidentiality. Public advisories reference aff...

CVE-2021-32028

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality...

CVE-2021-32028

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality...

Gurock Testrail 7.2.0.3014 Improper Access Control

Exploit Title: Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control Date: 22/09/2022 Exploit Author: Sick Codes & JohnJHacking Sakura Samuraii Vendor Homepage: https://www.gurock.com/testrail/ Version: 7.2.0.3014 and below Tested on: macOS, Linux, Windows CVE : CVE-2021-40875 Referenc...

CVE-2021-22239

Removed by vendor...

PT-2021-6485 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 14.0 and later Description: The issue is related to the ability of an unauthorized user to insert metadata when creating a new issue. This allows a remote attacker to impact data integrity. Recommendations: For GitLab...

SUSE SLED12 / SLES12 Security Update : mysql-connector-java (SUSE-SU-2021:2877-1)

The remote SUSE Linux SLED12 / SLES12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2877-1 advisory. - Vulnerability in the MySQL Connectors product of Oracle MySQL component: Connector/J. Supported versions that are affected are 8.0.1...

Out-of-bounds write in stack

ArrayVec::insert allows insertion of an element into the array object into the specified index. Due to a missing check on the upperbound of this index, it is possible to write out of bounds...

GHSA-R6MV-PPJC-4HGR PHP file inclusion via insert tags

Impact It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. Workarounds Disable the login for untrusted back end users. References...

YUNUCMS 跨站脚本漏洞

YUNUCMS is a website CMS. A cross-site scripting vulnerability exists in YUNUCMS 1.1.9, which originates from the param parameter in the insertContent function in ContentModel.php...

CVE-2021-37626

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify...

CVE-2021-37626

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify...

Code injection

Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify...

PHP file inclusion via insert tags

Date : 2021-08-11 CVE ID : CVE-2021-37626 Description It is possible for untrusted users to load arbitrary PHP files via insert tags. Installations are only affected if there are untrusted back end users. Affected versions Contao 4.0 Contao 4.1 Contao 4.2 Contao 4.3 Contao 4.4 up to 4.4.55 Contao...