CVE-2025-54780

The glpi-screenshot-plugin allows users to take screenshots or screens recording directly from GLPI. In versions below 2.0.2, authenticated user can use the /ajax/screenshot.php endpoint to leak files from the system or use PHP wrappers. This is fixed in version 2.0.2...

CVE-2025-54780

The glpi-screenshot-plugin allows users to take screenshots or screens recording directly from GLPI. In versions below 2.0.2, authenticated user can use the /ajax/screenshot.php endpoint to leak files from the system or use PHP wrappers. This is fixed in version 2.0.2...

CVE-2025-54780 glpi-screenshot-plugin exposes local files in /ajax/screenshot.php

The glpi-screenshot-plugin allows users to take screenshots or screens recording directly from GLPI. In versions below 2.0.2, authenticated user can use the /ajax/screenshot.php endpoint to leak files from the system or use PHP wrappers. This is fixed in version 2.0.2...

XXE in PHPSpreadsheet encoding is returned

Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. LFI-attack Details Check $pattern = '/encoding=".?"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this:...

Unauthenticated Remote Command Execution on corebos due to exposed install files.

Description While analysing corebos source-code, I found a file that looked interesting: - install/MigrationDbBackup.php This file contains the following snippet of code: php ?php /+ The contents of this file are subject to the vtiger CRM Public License Version 1.0 "License"; You may not use this...

SPIP 3.1.2 File Enumeration / Path Traversal

SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal CVE-2016-7982 Product Description SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence. Vulnerability...

WordPress Advanced XML Reader 0.3.4 XXE Injection Vulnerability

WordPress Advanced XML Reader plugin version 0.3.4 suffers from a XXE XML eXternal Entity injection vulnerability The WordPress plugin Advanced XML Reader v0.3.4 published here: http://wordpress.org/extend/plugins/advanced-xml-reader/ is susceptible to XXE XML eXternal Entity processing attacks...

WordPress Advanced XML Reader 0.3.4 XXE Injection

The WordPress plugin Advanced XML Reader v0.3.4 published here: http://wordpress.org/extend/plugins/advanced-xml-reader/ is susceptible to XXE XML eXternal Entity processing attacks. After installing the plugin on a Windows machine, I created a text file in the root of C:\ named "test.txt", which...