Security Bulletin: IBM API Connect Developer Portal is affected by arbitrary PHP code execution vulnerability in Drupal (CVE-2019-6340)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-6340 DESCRIPTION: Drupal Core could allow a remote attacker to execute arbitrary PHP code on the system, caused by improper input validation in some field types. By sending a specially-crafted...

CVE-2019-9581

phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension...

CVE-2019-9572

SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...

Unrestricted file upload

SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...

CVE-2019-9572

SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of...

CVE-2019-9182

There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter...

Code injection

There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter...

CVE-2019-9182

CVE-2019-9182 affects ZZZCMS zzzphp v1.6.1. A CSRF flaw in /admin015/save.php?act=editfile enables PHP code injection by supplying a filename in the file parameter and content in the filetext parameter, leading to potential code execution on the server. Exploitation details are described in the C...

CVE-2019-9182

There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter...

ZZZCMS zzzphp Cross-Site Request Forgery Vulnerability

ZZZCMS zzzphp is a content management system CMS. A cross-site request forgery vulnerability exists in ZZZCMS zzzphp version V1.6.1. A remote attacker can exploit this vulnerability to inject PHP code with the help of the 'file' and 'filetext' parameters...

PHP Code Injection

smarty-php/smarty is vulnerable to PHP code injection attacks. The vulnerability exists as the template names are unsanitized when called from fetch or display, allowing PHP code injection attacks...

zzzphp CMS 1.6.1 - Remote Code Execution

Exploit Title: dynamic code evaluation of zzzphp cms 1.6.1 Google Dork: intext:"2015-2019 zzcms.com" Date: 24/02/2019 Exploit Author: Yang Chenglong Vendor Homepage: http://www.zzzcms.com/index.html Software Link: http://115.29.55.18/zzzphp.zip Version: 1.6.1 Tested on: windows/Linux,iis/apache C...

CVE-2019-9041

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzztemplate.php file, the parserIfLabel function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring...

Code injection

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzztemplate.php file, the parserIfLabel function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring...

CVE-2019-9041

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzztemplate.php file, the parserIfLabel function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring...

CVE-2019-9041

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzztemplate.php file, the parserIfLabel function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring...

CVE-2019-9002

An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the databasehost parameter if the installer remains present in its original directory after installation is completed...

CVE-2019-6340

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core...

Highly Critical Drupal CMS Flaw Affects Millions of Websites

The Drupal open-source content management system platform has issued an advisory for a highly critical remote-code execution RCE flaw in the Drupal core. The vulnerability CVE-2019-6340 arises from the fact that “some field types do not properly sanitize data from non-form sources,” according to...

Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!

Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site. The update came two days after the Drupal securi...