CMS Made Simple 代码注入漏洞

CMS Made Simple CMSMS is an open-source content management system developed by the Cmsms team. This system supports role-based permission management systems, wizard-based installation and update mechanisms, and intelligent caching features. Versions of CMS Made Simple prior to 2.2.21 contained a...

CVE-2025-41077 Multiple vulnerabilities in Viafirma products

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality ...

PYSEC-2025-233

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue...

EUVD-2025-200242

Calibre-Web Has a Stored Cross-Site Scripting XSS Vulnerability via the 'username' Field During User Creation...

CVE-2025-65858

A Stored Cross-Site Scripting XSS vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed...

CVE-2025-65858

A Stored Cross-Site Scripting XSS vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed...

CVE-2025-65858

A Stored Cross-Site Scripting XSS vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed...

CVE-2021-4337

Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wpajaxsvxajaxfactory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...

CVE-2020-21884

Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery CSRF vulnerability in /tools/network-trace, /listusers, /listbyod?usertype=raduser, /dhcpleases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device...

Cross site request forgery (csrf)

Unibox SMB 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a cross-site request forgery CSRF vulnerability in /tools/network-trace, /listusers, /listbyod?usertype=raduser, /dhcpleases, /go?rid=202 in which a specially crafted HTTP request may reconfigure the device...

Piwigo List Users API Component SQL Injection Vulnerability

Piwigo is a web-based photo album software from the Piwigo team. The software supports photo publishing, management, multiple browsing methods categories, tags, time and so on. List Users API is a list user interface component of Piwigo. A SQL injection vulnerability exists in the List Users API...

CVE-2017-17822

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/userlistbackend.php sSortDir0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database...

CVE-2017-17822

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/userlistbackend.php sSortDir0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database...

Sql injection

The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via the /admin/userlistbackend.php sSortDir0 parameter. An attacker can exploit this to gain access to the data in a connected MySQL database...

CVE-2017-17822

CVE-2017-17822 affects Piwigo 2.9.2, specifically the List Users API. The vulnerability is a SQL injection in the List Users API component, exploitable via the /admin/user_list_backend.php sSortDir_0 parameter, allowing an attacker to access data in a connected MySQL database. Multiple connected ...