7206 matches found
Design/Logic Flaw
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server...
CVE-2020-25557
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server...
CVE-2020-25557
CMSUno 1.6.2 is affected by a code-injection vulnerability where an attacker can inject PHP code via the username field while changing their username/password. When the attacker logs in, the injected code executes, enabling an authenticated user to run commands on the server. Public advisories (e...
CVE-2020-25557
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a “username” while changing his/her username & password. After that, when attacker logs in to the application, attacker’s code will be run. As a result of this vulnerability, authenticated user can run command on the server. Recent...
PT-2020-16109 · Cmsuno · Cmsuno
Name of the Vulnerable Software and Affected Versions: CMSuno version 1.6.2 Description: The issue allows an attacker to inject malicious PHP code as a username while changing their username and password. After the attacker logs in to the application, their code will be executed, enabling an...
CVE-2020-23138
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension eg- .exe to the web server by providing image data and the image/jpeg content type with a .php extension...
CVE-2020-23138
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension eg- .exe to the web server by providing image data and the image/jpeg content type with a .php extension...
Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)
Exploit Title: Sentrifugo 3.2 - 'assets' Remote Code Execution Authenticated Google Dork: N/A Date: 2020.10.06 Exploit Author: Fatih Çelik Vendor Homepage: https://sourceforge.net/projects/sentrifugo/ Software Link: https://sourceforge.net/projects/sentrifugo/ Blog:...
CVE-2020-27387
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker with access to the FileManager to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload which will receiv...
Unrestricted file upload
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker with access to the FileManager to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload which will receiv...
CVE-2020-27387
An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker with access to the FileManager to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager's rename function to provide the payload which will receiv...
PT-2020-16680 · Horizontcms · Horizontcms
Name of the Vulnerable Software and Affected Versions: HorizontCMS versions prior to 1.0.0-beta patched, but version number remains the same Description: The issue allows an authenticated remote attacker with access to the FileManager to upload and execute arbitrary PHP code. This is achieved by...
CVE-2020-7373
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widgettabbedcontainertabpanel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is...
inoERP form personalization module command execution
Added: 10/28/2020 Background inoERP is an open source web based enterprise management system. Problem A vulnerability in the formpersonalization module allows remote, unauthenticated attackers to execute arbitrary PHP code injected in the templatecode parameter. Resolution No fix is available at...
inoERP form personalization module command execution
Added: 10/28/2020 Background inoERP is an open source web based enterprise management system. Problem A vulnerability in the formpersonalization module allows remote, unauthenticated attackers to execute arbitrary PHP code injected in the templatecode parameter. Resolution No fix is available at...
CVE-2020-18184
In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametresedittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template...
CVE-2020-18184
In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametresedittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template...
CVE-2020-18185
class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment...
Code injection
In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametresedittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template...
CVE-2020-18184
In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametresedittpl.php allows remote attackers to execute arbitrary PHP code by placing this code into a template...