CVE-2022-24652

CVE-2022-24652 affects SentCMS 4.0.x. The vulnerability stems from a lack of validation of uploaded files in the unauthorized file upload interface at /admin/upload/upload, enabling remote attackers to upload arbitrary files and achieve PHP code execution. The NVD reports a high-severity impact (...

CVE-2022-24652

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload...

CVE-2022-24651

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload...

CVE-2022-24651

CVE-2022-24651 affects SentCMS 4.0.x. The vulnerability allows remote attackers to upload arbitrary files via an unauthorized upload interface at /user/upload/upload, enabling PHP code execution. Multiple sources corroborate that the issue stems from lack of validation of uploaded files. No patch...

CVE-2022-24734 Remote code execution in mybb

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This resul...

CVE-2022-25016

Home Owners Collection Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /studentattendance/index.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2022-25018

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages...

CVE-2022-25018

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages...

CVE-2022-25018

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages...

CVE-2022-25018

Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary code via crafted PHP code inserted into static pages...

CVE-2022-25018

Removed by vendor...

CVE-2021-44967

A Remote Code Execution RCE vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be...

Remote code execution

A Remote Code Execution RCE vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file...

CVE-2022-24708 Stored XSS vulnerability in anuko/timetracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with element...

CVE-2021-44967

A Remote Code Execution RCE vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file. NOTE: the Supplier's position is that plugins intentionally can contain arbitrary PHP code, and can only be...

CVE-2021-44967

LimeSurvey 5.2.4 is affected by a Remote Code Execution (RCE) via the Upload & Install Plugins function. The vulnerability allows a remote authenticated user to upload an arbitrary PHP code file and execute it on the server (e.g., a reverse shell), as demonstrated by multiple PoCs/exploits linked...

CVE-2022-24664

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts...

CVE-2022-24665

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts...

CVE-2022-24664

PHP Everywhere = 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...

PHPUnit Command Injection Vulnerability

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI...