TOTOLINK N300RH 注入漏洞

TOTOLINK N300RH is a long range wireless router from China's Gion Electronics TOTOLINK. The TOTOLINK N300RH suffers from a command injection vulnerability that stems from the parameter pluginname in the file /cgi-bin/cstecgi.cgi failing to correctly filter constructed command special characters,...

PT-2025-3261 · 5 Star Plugins · Pretty Simple Popup Builder

Name of the Vulnerable Software and Affected Versions: 5 Star Plugins Pretty Simple Popup Builder versions 1.0.9 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting XSS. This means that an...

rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary...

CVE-2023-43803

Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass t...

CVE-2023-43803

CVE-2023-43803 affects Arduino Create Agent. The vulnerability stems from how the endpoint /v2/pkgs/tools/installed handles user-supplied plugin names, enabling path traversal that could allow an attacker with localhost HTTP access or bypassed CORS to delete arbitrary files/folders owned by the A...

Malicious code in docusaurus-plugin-name (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 232063f9bf78828e30e0c8bb7374c02a90b0a6bf29118093c955b5412deadddf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2553 Malicious code in docusaurus-plugin-name (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 232063f9bf78828e30e0c8bb7374c02a90b0a6bf29118093c955b5412deadddf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Digital Watchdog DW MEGApix IP 操作系统命令注入漏洞

Digital Watchdog DW MEGApix IP is a camera from Digital Watchdog USA. Digital Watchdog DW MEGApix IP cameras version A7.2.220211029 suffers from an operating system command injection vulnerability that stems from a security issue with the event, id, pluginname, name, and evtid parameters in the...

MantisBT vulnerable to XSS due to improper escape in manage_plugin_page.php and manage_plugin_uninstall.php

An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code if CSP allows it in managepluginpage.php and managepluginuninstall.php when a crafted plugin is installed...

CVE-2022-26144

An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code if CSP allows it in managepluginpage.php and managepluginuninstall.php when a crafted plugin is installed...

MantisBT 跨站脚本漏洞

MantisBT is MantisBT Mantisbt team of a Web-based open source defect tracking system . The system provides project management and defect tracking services in the form of Web operations. A security vulnerability exists in MantisBT versions prior to 2.25.3, which stems from improper escaping of...

b2evolution 6.11.6 - 'plugin name' Stored XSS

Exploit Title: b2evolution 6.11.6 - 'plugin name' Stored XSS Date: 09/02/2021 Exploit Author: Soham Bakore, Nakul Ratti Vendor Homepage: https://b2evolution.net/ Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405 Version: 6.11.6 Tested on: latest version of Chrome,...

b2evolution 跨站脚本漏洞

B2evolution is a PHP and MySQL-based community content management system. B2evolution cross-site scripting vulnerability can be exploited by attackers to execute malicious JavaScript code via the plugin name input field in the plugin module...

Helm Plugin Validation Vulnerability

helm is a Kubernetes package manager. A security vulnerability exists in Helm versions prior to 2.16.11 and 3.3.2, which stems from a failure to properly clean up plugin names and can be exploited by an attacker to use illegal characters in plugin names...

PT-2020-14257 · Helm +2 · Helm +2

Name of the Vulnerable Software and Affected Versions: Helm versions prior to 2.16.11 Helm versions prior to 3.3.2 Description: The issue arises from improper sanitization of plugin names, allowing a malicious plugin author to use characters that could result in unexpected behavior. This could...

DEBIAN-CVE-2020-12640

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcubepluginapi.php...

CVE-2020-12640

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcubepluginapi.php...

CVE-2019-19609

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function...

Strapi Admin Panel Install and Uninstall Plugin Component Remote Code Execution Vulnerability

Strapi is an open source headless content management system CMS. install and Uninstall Plugin is one of the install and uninstall plugin . A remote code execution vulnerability exists in the Install and Uninstall Plugin component of the Admin panel in Strapi, which stems from the program's failur...

CVE-2018-17827

HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php...