12 matches found
CVE-2026-1565
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUFAdminSettings::checkfiletypeandext' function and in the...
CVE-2024-29686
Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the...
Server-Side Template Injection (SSTI)
wintercms/winter is vulnerable to Server-side Template Injection SSTI. The vulnerability is due to insufficient input validation, allowing an admin authenticated remote attacker to execute arbitrary code by injecting a crafted payload into the CMS Pages field and Plugin components...
GHSA-8R5J-GM3J-CX9C Winter CMS Server-Side Template Injection (SSTI) vulnerability
Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components...
Winter CMS Server-Side Template Injection (SSTI) vulnerability
Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components...
PT-2024-22962 · Unknown · Winter Cms
Name of the Vulnerable Software and Affected Versions: Winter CMS version 1.2.3 Description: A Server-side Template Injection SSTI issue allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. The vendor disputes this vulnerability,...
CVE-2024-29686
Server-side Template Injection SSTI vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the...
CVE-2024-29686
CVE-2024-29686 describes a Server-side Template Injection (SSTI) in Winter CMS v1.2.3. The vulnerability allows a remote attacker to execute arbitrary code via a crafted payload in the CMS Pages field and Plugin components. Some sources note this could be exploited by an authenticated/admin user ...
WinterCMS 1.2.3 Cross Site Scripting
Exploit Title: Stored XSS in WinterCMS 1.2.3 Plugin Components Date: 12/7/2023 Exploit Author: tmrswrr Vendor Homepage: https://wintercms.com/ Software Link: https://github.com/wintercms/winter Version: 1.2.3 Tested on: debian 9 PoC 1. Access the WinterCMS backend at http://localhost/backend/cms...
Malicious code in front-plugin-components-library (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 423b889e13bc234c563a78390b6c479627bc514597d4783960e2e1940d39d4e2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-3216 Malicious code in front-plugin-components-library (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 423b889e13bc234c563a78390b6c479627bc514597d4783960e2e1940d39d4e2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Valak Loader Revamped to Rob Microsoft Exchange Servers
Threat actors have revamped a popular malware loader into a stealthy infostealer that targets Microsoft Exchange servers to pilfer enterprise mailing information, passwords and enterprise certificates, researchers have found. Security researchers from Cybereason Nocturnus have discovered Valak, a...