104 matches found
PT-2025-25415 · Openc3 · Openc3 Cosmos
Name of the Vulnerable Software and Affected Versions: OpenC3 COSMOS version 6.0.0 Description: A remote code execution RCE vulnerability in the Plugin Management component of OpenC3 COSMOS allows attackers to execute arbitrary code via uploading a crafted .txt file. Recommendations: For OpenC3...
CVE-2025-28386
CVE-2025-28386 affects OpenC3 COSMOS v6.0.0 in the Plugin Management component. The vulnerability allows remote code execution when a crafted .txt file is uploaded, enabling arbitrary code execution with network access and no user interaction. CVSS v3.1 base score 9.8 (CRITICAL). Remediation guid...
CVE-2025-28386
A remote code execution RCE vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file...
CVE-2021-34816
An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source...
CVE-2024-9847
FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery CSRF attacks that allow an attacker to enable or disable plugins on behalf of a victim user. The attacker can craft a malicious link or script that, when clicked by an authenticated user, will send a request to the FlatPress...
FlatPress 跨站请求伪造漏洞
FlatPress is a lightweight, easy to set up flat file blogging engine from the FlatPress open source. A cross-site request forgery vulnerability exists in FlatPress. An attacker exploiting this vulnerability can enable or disable plugins...
CVE-2024-13423 Sparkling <= 2.4.9 - Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation
The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparklingactivateplugin' and 'sparklingdeactivateplugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers...
CVE-2025-23024 GLPI: Plugins are disabled accessing one page
GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the install/update.php file...
CVE-2024-52959
A Improper Control of Generation of Code 'Code Injection' vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file...
CVE-2024-52958
A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function...
CVE-2024-52958
A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function...
CVE-2024-52959 iota C.ai Conversational Platform - Improper Control of Generation of Code ('Code Injection')
A Improper Control of Generation of Code 'Code Injection' vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file...
CVE-2024-52959 iota C.ai Conversational Platform - Improper Control of Generation of Code ('Code Injection')
A Improper Control of Generation of Code 'Code Injection' vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file...
CVE-2024-52959
CVE-2024-52959 affects the iota C.ai Conversational Platform, specifically the plugin management feature. The root cause is described as improper control of code generation, enabling a code injection vulnerability. Affected versions are 1.0.0 through 2.1.3 . The vulnerability allows remote authen...
CVE-2024-52958 iota C.ai Conversational Platform - Improper Verification of Cryptographic Signature
A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function...
CVE-2024-52958 iota C.ai Conversational Platform - Improper Verification of Cryptographic Signature
A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function...
PT-2024-35499 · Unknown · Iota C.Ai Conversational Platform
Name of the Vulnerable Software and Affected Versions: iota C.ai Conversational Platform versions 1.0.0 through 2.1.3 Description: The issue is related to an improper verification of cryptographic signature vulnerability in plugin management. This allows remote authenticated users to load a...
PT-2024-35500 · Unknown · Iota C.Ai Conversational Platform
Name of the Vulnerable Software and Affected Versions: iota C.ai Conversational Platform versions 1.0.0 through 2.1.3 Description: A code injection vulnerability in the plugin management of iota C.ai Conversational Platform allows remote authenticated users to execute arbitrary system commands vi...
CVE-2024-6799
The YITH Essential Kit for WooCommerce 1 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activatemodule', 'deactivatemodule', and 'installmodule' functions in all versions up to, and including, 2.34.0. This makes it possible for...
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
Summary Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker. Details Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding AP...