Winter CMS has Stored Cross-site Scripting (XSS) in Asset Manager

Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manageasset...

EUVD-2013-3863

Malware in sbrugna...

EUVD-2023-30343

Malicious code in bioql PyPI...

CVE-2025-52992

The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and...

CVE-2024-6703

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btntxt' parameters in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output...

PT-2024-15799 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: AnythingLLM affected versions not specified Description: If an instance of AnythingLLM is hosted on an internal network and the attacker is granted a permission level of manager or admin, they could link-scrape internally to resolve IPs of...

CVE-2024-0439 User can manually send request at manager permission to modify system configurations

As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request...

CVE-2023-26546

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection SSTI with a crafted template file. The attacker must have template manager permission...

Sql injection

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection SSTI with a crafted template file. The attacker must have template manager permission...

CVE-2023-26546

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection SSTI with a crafted template file. The attacker must have template manager permission...

CVE-2023-26546

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection SSTI with a crafted template file. The attacker must have template manager permission...

Sql injection

SQL injection vulnerability in the Jomres comjomres component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to execute arbitrary SQL commands via the id parameter in an editProfile action to administrator/index.php...

Cross site scripting

Cross-site scripting XSS vulnerability in the Jomres comjomres component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to inject arbitrary web script or HTML via the propertyname parameter, related to editing property details...

CVE-2013-3932

SQL injection vulnerability in the Jomres comjomres component before 7.3.1 for Joomla! allows remote authenticated users with the "Business Manager" permission to execute arbitrary SQL commands via the id parameter in an editProfile action to administrator/index.php...

openSUSE Security Update : salt (openSUSE-2018-388)

This update for salt fixes the following issues : - Regression Permission problem: salt-ssh minion boostrap doesn't work anymore. bsc1027722 - wrong use of osfamily string for Suse in the locale module and others bsc1038855 - Cannot bootstrap a host using 'Manage system completely via SSH will no...