Lucene search
K

44 matches found

OSV
OSV
added 2025/07/22 11:24 p.m.5 views

CVE-2025-54139 HAX CMS' application pages are vulnerable to clickjacking

HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an...

4.3CVSS6.4AI score0.003EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/06/11 9:8 p.m.6 views

CVE-2025-49137

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

8.5CVSS8.3AI score0.00231EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/11 9:8 p.m.6 views

CVE-2025-49139

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is...

6.5CVSS5AI score0.00324EPSS
Exploits1References1
NVD
NVD
added 2025/06/09 9:15 p.m.12 views

CVE-2025-49139

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is...

6.5CVSS0.00324EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/06/09 9:0 p.m.14 views

CVE-2025-49137 Hax CMS Stored Cross-Site Scripting vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

8.5CVSS0.00231EPSS
Exploits1References2
CVE
CVE
added 2025/06/09 9:0 p.m.60 views

CVE-2025-49137

HAX CMS PHP prior to 11.0.0 is vulnerable to stored XSS via the saveNode and saveManifest endpoints, where unsanitized user input is stored in the site JSON schema and rendered in the generated microsite. The issue allows execution of arbitrary JavaScript through HTML tags (notably without using ...

8.5CVSS8.4AI score0.00231EPSS
Exploits1References2Affected Software2
OSV
OSV
added 2025/06/09 9:0 p.m.5 views

CVE-2025-49137 Hax CMS Stored Cross-Site Scripting vulnerability

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in...

8.5CVSS6.7AI score0.00231EPSS
Exploits1References4
NVD
NVD
added 2025/04/08 4:15 p.m.19 views

CVE-2025-32028

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is...

9.9CVSS0.01725EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/04/08 4:6 p.m.18 views

CVE-2025-32028 HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution

HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is...

9.9CVSS0.01725EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2023/12/26 6:15 p.m.3 views

CVE-2023-52086

resumable.php aka PHP backend for resumable.js 0.1.4 before 3c6dbf5 allows arbitrary file upload anywhere in the filesystem via ../ in multipart/form-data content to upload.php. File overwrite hasn't been possible with the code available in GitHub in recent years, however...

8.1CVSS5.9AI score0.00712EPSS
Exploits0References6
Cvelist
Cvelist
added 2023/12/26 12:0 a.m.26 views

CVE-2023-52086

resumable.php aka PHP backend for resumable.js 0.1.4 before 3c6dbf5 allows arbitrary file upload anywhere in the filesystem via ../ in multipart/form-data content to upload.php. File overwrite hasn't been possible with the code available in GitHub in recent years, however...

8.5AI score0.00712EPSS
Exploits0References5
CVE
CVE
added 2023/12/26 12:0 a.m.37 views

CVE-2023-52086

Resumable.php (PHP backend for resumable.js) vulnerable to Arbitrary File Upload. Versions 0.1.4 through 3c6dbf5 allow uploading arbitrary files anywhere on the filesystem via ../ in multipart/form-data to upload.php. The risk is enabling attackers to place files outside the intended directory; f...

8.1CVSS8.2AI score0.00712EPSS
Exploits0References5Affected Software1
Fedora
Fedora
added 2023/11/15 2:1 a.m.40 views

[SECURITY] Fedora 37 Update: roundcubemail-1.6.5-1.fc37

RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in...

6.1CVSS6.3AI score0.00641EPSS
Exploits0
0day.today
0day.today
added 2023/03/31 12:0 a.m.310 views

WooCommerce v7.1.0 - Remote Code Execution Vulnerability

Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code ExecutionRCE Author: Milad Karimi Vendor Homepage: https://wordpress.org/plugins/woocommerce Software Link: https://wordpress.org/plugins/woocommerce Tested on: windows 10 , firefox Version: 7.1.0 CVE : N/A Description: simple, easy to use...

6.8AI score
Exploits0
Exploit DB
Exploit DB
added 2023/03/31 12:0 a.m.313 views

WooCommerce v7.1.0 - Remote Code Execution(RCE)

Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code ExecutionRCE Date: 2022-12-07 Author: Milad Karimi Vendor Homepage: https://wordpress.org/plugins/woocommerce Software Link: https://wordpress.org/plugins/woocommerce Tested on: windows 10 , firefox Version: 7.1.0 CVE : N/A Description:...

7.4AI score
Exploits0
0day.today
0day.today
added 2020/04/16 12:0 a.m.34 views

Pinger 1.0 - Remote Code Execution Exploit

Exploit for php platform in category web applications Title: Pinger 1.0 - Remote Code Execution Author: Milad Karimi Vendor Homepage: https://github.com/wcchandler/pinger Software Link: https://github.com/wcchandler/pinger Tested on: windows 10 , firefox Version: 1.0 CVE : N/A...

Exploits0
CNVD
CNVD
added 2019/12/03 12:0 a.m.1 views

SQL injection vulnerability in X5music V2.0 backend cl***.php page

x5music Free Edition is an audio-visual management system developed using php+Mysql. X5music V2.0 backend cl.php page has a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information...

7.9AI score
Exploits0
Cvelist
Cvelist
added 2019/06/20 1:43 p.m.20 views

CVE-2019-6961

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations intended only for the network operator by sending an HTTP POST to the PHP backend, because the page filtering for...

6.5AI score0.00927EPSS
Exploits0References1
CNVD
CNVD
added 2018/10/29 12:0 a.m.1 views

Code execution vulnerability in OURPHP backend (CNVD-2018-23349)

OURPHP is Harbin Weicheng Technology Co., Ltd. developed a PHP + MySQL based on the development of W3C standards-compliant building system. OURPHP backend code execution vulnerabilities, attackers can use the vulnerability to obtain control of the web server...

7.6AI score
Exploits0
0day.today
0day.today
added 2015/12/19 12:0 a.m.44 views

Pinger Remote Code Execution Vulnerability

Pinger suffers from a remote code execution vulnerability. ================================================================================ Pinger - Simple Pinging Webapp Remote Code Execution ================================================================================ Vendor Homepage:...

7.9AI score
Exploits0
Rows per page
Query Builder