7 matches found
CVE-2026-47346
Backend users with file write permissions were able to upload form definition files with mixed-case extensions e.g., .FORM.YAML to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to...
EUVD-2018-12697
Malware in sbrugna...
EUVD-2018-13032
Malware in sbrugna...
DedeCMS Arbitrary PHP Code Execution Vulnerability (CNVD-2019-04908)
Desdev DedeCMS Dream Weaving Content Management System is China's Zhuozhuo network Desdev Technology Co., Ltd. of a set of open-source set of content publishing, editing, management and retrieval is equal to one of the PHP Web site content management system CMS. A security vulnerability exists in...
CVE-2018-20478
An issue was discovered in S-CMS 1.0. It allows reading certain files, such as PHP source code, via the admin/download.php DownName parameter with a mixed-case extension, as demonstrated by a DownName=download.Php value...
CVE-2018-20127
An issue was discovered in zzzphp cms 1.5.8. delfile in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because for example "php" is blocked but path=F:/1.phP. succeeds...
FreeBSD : wesnoth -- disclosure of .pbl files with lowercase, uppercase, and mixed-case extension (2a8b7d21-1ecc-11e5-a4a5-002590263bf5)
Ignacio R. Morelle reports : As mentioned in the Wesnoth 1.12.4 and Wesnoth 1.13.1 release announcements, a security vulnerability targeting add-on authors was found bug 23504 which allowed a malicious user to obtain add-on server passphrases from the client's .pbl files and transmit them over th...