TeamPass <= 2.1.27.36 Multiple XSS Vulnerabilities

TeamPass is prone to multiple cross-site scripting XSS vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2019-3960

Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file...

Unrestricted file upload

Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file...

CVE-2019-3960

Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file...

PHKP 'pgp_exec()' function command injection vulnerability

PHKP is a PHP-based implementation of the OpenPGP HTTP secret key server protocol. A command injection vulnerability exists in the 'pgpexec' function of the phkp.php file in PHKP. The vulnerability stems from a network system or product not properly filtering special elements of externally entere...

CVE-2019-1010178

Fred MODX Revolution 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is:...

Design/Logic Flaw

Fred MODX Revolution 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is:...

CVE-2019-1010178

Fred MODX Revolution 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is:...

CVE-2019-1010178

CVE-2019-1010178 affects MODX Revolution ≤ 1.0.0-beta4/β5 via the Fred add-on (assets/components/fred/web/elfinder/connector.php). The root cause is Incorrect Access Control (CWE-648), enabling Remote Code Execution. The attack vector involves uploading a PHP file or altering data in the database...

SQL Injection Vulnerability in Five Fingers CMSqu***.php File

Five Fingers CMS is a high-performance open source content management system that supports LNAMP architecture. Five Fingers CMS qu.php file contains a SQL injection vulnerability that can be exploited by attackers to obtain sensitive information...

RANGER Studio Directus Code Execution Vulnerability (CNVD-2019-39679)

RANGER Studio Directus is a set of open source headless CMS and API for managing custom databases from RANGER Studio, U.S.A. The Directus API is one of the components that can add a RESTful API layer to new or existing SQL databases. A security vulnerability exists in the RANGER Studio Directus 7...

CVE-2019-13979

In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads//originals remote code execution...

Remote code execution

In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads//originals remote code execution...

Remote code execution

In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads//originals remote code execution with nginx...

UsualToolcms my***.php file has an arbitrary file deletion vulnerability

UsualToolCMS UTCMS is an enterprise web content management system CMS based on PHP and MySQL. An arbitrary file deletion vulnerability exists in the UsualToolcms my.php file. An attacker can exploit the vulnerability to delete arbitrary files...

Pluck Code Issue Vulnerability

Pluck is a content management system CMS developed using the PHP language. A code issue vulnerability exists in the data/inc/images.php file in Pluck 4.7.4 and earlier versions. The vulnerability stems from an improperly designed or implemented code development process for a web-based system or...

SQL Injection Vulnerability in Seacms v9.9 Backend ad***_te***.php File

SeaCMS is a video-on-demand system based on PHP+MySql technology. A SQL injection vulnerability exists in the adte.php file in the background of Seacms v9.9. An attacker can exploit the vulnerability to obtain sensitive database information...

File Inclusion Vulnerability in mlecms v2.3

mlecms is a PHP + MYSQL based on the core development of the station-building system. A file inclusion vulnerability exists in mlecms v2.3. The vulnerability is due to unfiltered incoming parameters are directly spliced into file paths. An attacker can use this vulnerability to obtain php files...

WordPress Insert Or Embed Articulate Content 4.2997 Remote Code Execution

Exploit Title: Authenticated code execution in insert-or-embed-articulate-content-into-wordpress Wordpress plugin Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive Date: june 2019 Exploit Author: xulchibalraa Vendor Homepage:...

InnoGames: Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash)

The referrer leaked the CSRF code, when opening an embedded PHP file set by the images function in tribe forums. Due to a premium function, which allows players to store and run Javascript scripts during the game, the session ID could be grabbed, as it was mistakenly embedded into the DOM. This...