Cross site scripting

Cross Site Scripting XSS vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php...

FusionPBX 跨站脚本漏洞

FusionPBX is a scalable, multi-threaded communications platform. The platform can be used as a call center server, fax server, VOIP server, voicemail server, conferencing server and voice application server. A security vulnerability exists in FusionPBX 4.5.26, which allows remote, unauthenticated...

Wedding Management System SQL注入漏洞

Wedding Management System is a wedding planning management system by John Paul Lim Gabule. v1.0 of Wedding Management System is vulnerable to SQL injection, which originates from /Wedding-Management/admin/ blogeventsedit.php?id=31 page lacks validation of external input SQL statements, which can ...

GHSA-WCJ4-FF9M-5R7G ImpressCMS Path Traversal to Arbitrary File Delete

Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the imagepath parameter in a cancel action...

User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal

The plugin does not validate the filepath parameter of its umshowuploadedfile AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads As a subscriber, submit a dummy image on a page/post with a File Upload...

GHSA-6C8C-F2W2-JVJR Alkacon OpenCMS XSS via homelink, workplaceresource, mode and query parameters

Multiple cross-site scripting XSS vulnerabilities in Alkacon OpenCms 9.5.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 homelink parameter to system/modules/org.opencms.workplace.help/jsptemplates/helphead.jsp, 2 workplaceresource parameter to...

GHSA-3295-H9QX-R82X Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server WAS 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter...

ftcms 路径遍历漏洞

ftcms is a content management system from ftcms. A security vulnerability exists in ftcms version 2.1 and earlier versions, which can be exploited by an attacker to conduct a directory traversal attack via the tp parameter...

CVE-2021-42165

MitraStar GPT-2541GNAC-N1 HGU 100VNZ0b33 devices allow remote authenticated users to obtain root access by executing command "deviceinfo show file &&/bin/bash" because of incorrect sanitization of parameter "path"...

EUVD-2006-4199

PHP remote file inclusion vulnerability in install3.php in WEBInsta Mailing List Manager 1.3e allows remote attackers to execute arbitrary PHP code via a URL in the cabsolutepath parameter...

CVE-2021-43459

A Cross Site Scripting XSS vulnerability exists in Rumble Mail Server 0.51.3135 via the 1 domain and 2 path parameters...

CVE-2021-43459

A Cross Site Scripting XSS vulnerability exists in Rumble Mail Server 0.51.3135 via the 1 domain and 2 path parameters...

CVE-2022-27248

A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. An attack uses the path field to...

CVE-2022-25389

DCN Firewall DCME-520 was discovered to contain an arbitrary file download vulnerability via the path parameter in the file /audit/log/logmanagement.php...

CVE-2022-24633

All versions of FileCloud prior to 21.3 are vulnerable to user enumeration. The vulnerability exists in the parameter "path" passing "/SHARED/". A malicious actor could identify the existence of users by requesting share information on specified share paths...

D-Link Di-7200G Command Injection Vulnerability (CNVD-2022-15182)

D-Link Di-7200G is a gigabit enterprise router from China Youxun D-Link. D-Link DI-7200G V2.E1 v21.04.09E1 is vulnerable to command injection, which can be exploited by attackers to execute arbitrary commands via the path parameter...

The vulnerability of the `version_upgrade.asp` implementation in the D-Link DI-7200G V2.E1 microprogramming router software allows a hacker to execute arbitrary commands.

The vulnerability of the versionupgrade.asp implementation in the D-Link DI-7200G V2.E1 microprogramming router software is related to insufficient cleaning of input data during the processing of the path parameter. Exploiting this vulnerability allows an attacker to execute arbitrary commands...

CVE-2022-23378

A Cross-Site Scripting XSS vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable...

TastyIgniter 跨站脚本漏洞

TastyIgniter is a free and open source online ordering software based on the Laravel PHP Framework designed for developers and restaurateurs to enjoy life. A cross-site scripting vulnerability exists in TastyIgniter that stems from a cross-site scripting XSS vulnerability in version 3.2.2 of...

CVE-2021-46230

D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function upgradefilter. This vulnerability allows attackers to execute arbitrary commands via the path and time parameters...