CVE-2018-16763

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution. Recent assessments: noraj at May 08, 2021 7:33pm UTC reported: Unauthenticated RCE with default config, this is critical. Assessed...

CVE-2018-0658

Input validation issue in EC-CUBE Payment Module 2.12 version 3.5.23 and earlier, EC-CUBE Payment Module 2.11 version 2.3.17 and earlier, GMO-PG Payment Module PG Multi-Payment Service 2.12 version 3.5.23 and earlier, GMO-PG Payment Module PG Multi-Payment Service 2.11 version 2.3.17 and earlier...

CVE-2018-0645

MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors...

Input validation

Input validation issue in EC-CUBE Payment Module 2.12 version 3.5.23 and earlier, EC-CUBE Payment Module 2.11 version 2.3.17 and earlier, GMO-PG Payment Module PG Multi-Payment Service 2.12 version 3.5.23 and earlier, GMO-PG Payment Module PG Multi-Payment Service 2.11 version 2.3.17 and earlier...

CVE-2018-0658

CVE-2018-0658 concerns input validation bypass in EC-CUBE Payment Module and GMO-PG Payment Module (PG Multi-Payment Service). Affected: EC-CUBE Payment Module (2.12) up to version 3.5.23 and earlier; EC-CUBE Payment Module (2.11) up to 2.3.17 and earlier; GMO-PG Payment Module (PG Multi-Payment ...

CVE-2018-0645

MTAppjQuery (Movable Type plugin) v1.8.1 and earlier is vulnerable to remote PHP code execution due to inclusion of Uploadify (unrestricted file upload, CWE-434). Exploitation could allow a remote attacker to execute arbitrary PHP code on the server. Affected: MTAppjQuery 1.8.1 and earlier. Root ...

CVE-2018-0645

MTAppjQuery 1.8.1 and earlier allows remote PHP code execution via unspecified vectors...

CVE-2018-0658

Input validation issue in EC-CUBE Payment Module 2.12 version 3.5.23 and earlier, EC-CUBE Payment Module 2.11 version 2.3.17 and earlier, GMO-PG Payment Module PG Multi-Payment Service 2.12 version 3.5.23 and earlier, GMO-PG Payment Module PG Multi-Payment Service 2.11 version 2.3.17 and earlier...

Guangzhou Lychee Network Co. Touchmedia News APP has file upload vulnerability

Touchdown News App is a news and information app. A file upload vulnerability exists in Touchmedia News APP by Guangzhou Lychee Network Co. An attacker can exploit the vulnerability to upload arbitrary PHP files and execute arbitrary PHP scripts on a remote server...

CVE-2018-16604

Nibbleblog v4.0.5 is affected. The issue allows an attacker with admin credentials to execute arbitrary PHP code by exploiting the username field, which is surrounded by double quotes (e.g., "${phpinfo()}"). Root cause is improper handling of the admin username leading to code execution. Impact i...

idreamsoft iCMS Path Traversal Vulnerability

idreamsoft iCMS is an open source content management system CMS based on PHP and MySQL. A path traversal vulnerability exists in admincp.php?app=config in idreamsoft iCMS version 7.0.11, which can be exploited by remote attackers to execute arbitrary PHP code in a ZIP file...

Code injection

In PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP code through /Public/?g=Team&m=Setting&a=upgrade by placing a .php file in a ZIP archive...

CVE-2018-16370

In PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP code through /Public/?g=Team&m=Setting&a=upgrade by placing a .php file in a ZIP archive...

CVE-2018-16320

idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file...

CVE-2018-16320

idreamsoft iCMS 7.0.11 allows admincp.php?app=config Directory Traversal, resulting in execution of arbitrary PHP code from a ZIP file...

CVE-2018-16320

CVE-2018-16320 affects idreamsoft iCMS 7.0.11. A directory traversal flaw in admincp.php?app=config enables arbitrary PHP code execution from a ZIP file. Root cause: path traversal in the configuration admin endpoint. Impact: arbitrary code execution; exploitation status is not provided in the do...

UltimatePOS 2.5 - Remote Code Execution

UltimatePOS 2.5 - Remote Code Execution Exploit Title: UltimatePOS 2.5 - Remote Code Execution Google Dork: intext:"UltimatePOS" Date: 2018-08-22 Exploit Author: Renos Nikolaou Vendor Homepage: http://ultimatefosters.com/ Software Link:...

Arbitrary Code Execution

phpwhois/phpwhois is vulnerable to arbitrary code execution attacks. The application unsafely uses the PH function eval, allowing a malicious user to inject and execute arbitrary PHP code through it...

DamiCMS has an arbitrary file write vulnerability

DamiCMS is a content management system CMS for building websites quickly. DamiCMS v6.0.0 version exists arbitrary file write vulnerability, the vulnerability stems from the template editing page fails to strictly detect the file name suffix, an attacker can exploit the vulnerability to write...

Raptor WAF v0.5 - Web Application Firewall using DFA

Raptor is a Web application firewall made in C, uses DFA to block SQL injection, Cross site scripting and path traversal. to run: $ git clone https://github.com/CoolerVoid/raptorwaf $ cd raptorwaf; make; bin/raptor Note: Don't execute with "cd bin; ./raptor" use full path "bin/raptor" look detail...