CVE-2020-35936

Stored Cross-Site Scripting XSS vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to import layouts including JavaScript supplied via a remotely hosted crafted payload in the source parameter via AJAX. The action must be set to...

CVE-2020-35938

PHP Object injection vulnerabilities in the Post Grid plugin before 2.0.73 for WordPress allow remote authenticated attackers to inject arbitrary PHP objects due to insecure unserialization of data supplied in a remotely hosted crafted payload in the source parameter via AJAX. The action must be...

jscover Command Injection Vulnerability

jscover is a JavaScript code test coverage tool. An injection vulnerability exists in jscover 1.0.0 and earlier versions, which stems from a lack of proper validation of user input data. A remote attacker can exploit the vulnerability to execute arbitrary commands with the help of the 'source'...

CVE-2019-20224

netflowgetstats in functionsnetflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ipsrc parameter in an index.php?operation/netflow/nfliveview request. This issue has been fixed in Pandora FMS 7.0 NG 742...

CVE-2019-3971

Comodo Antivirus versions up to 12.0.0.6810 are vulnerable to a local Denial of Service affecting CmdVirth.exe via its LPC port "cmdvrtLPCServerPort". A low privileged local process can connect to this port and send an LPCDATAGRAM, which triggers an Access Violation due to hardcoded NULLs used fo...

Code injection

ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source parameter because of a lack of inc/zzzfile.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if th...

CVE-2019-8341

An issue was discovered in Jinja2 2.10. The fromstring function is prone to Server Side Template Injection SSTI where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with INJECTION COMMANDS in a URI. NOTE: The maintainer and...

DEBIAN-CVE-2019-7336

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, as the view monitorfilters.php contains takes in input from the user and saves it into the session, and retrieves it later insecurely. The values of the MonitorName and Source parameters are being displayed without any...

UBUNTU-CVE-2019-7336

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, as the view monitorfilters.php contains takes in input from the user and saves it into the session, and retrieves it later insecurely. The values of the MonitorName and Source parameters are being displayed without any...

CVE-2017-17104

Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/apptheme/libs/checkfile.php via $GET'src' or $GET'name'...

SSRF Vulnerability in Jspxcms Enterprise Open Source Web Content Management System

jspxcms is an open source, Java-based content management system CMS. An SSRF vulnerability exists in the source and upfile parameters of the classes\com\jspxcms\core\web\fore\UploadController.java file in Jspxcms, which allows an attacker to initiate a request to an intranet host to obtain the...

Exponent CMS 'src' Parameter SQL Injection Vulnerability

Exponent CMS is a free, open source PHP-based modular content management system CMS of the U.S. OIC Group of companies. The system supports direct editing in the page, and provides user management, site configuration, content editing and other functions. Exponent CMS version 2.3.9 suffers from a...

WordPress plugin Redirection Page has multiple cross-site request forgery vulnerabilities

Redirection Page plugin is a redirection plugin for managing 301 redirects and tracking 404 errors. The WordPress plugin Redirection Page suffers from multiple cross-site request forgery vulnerabilities that allow remote attackers to hijack an administrator's credentials as 1 changing plugin...

elasticsearch: remote code execution flaw via dynamic scripting

It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to search...

DZS Video Gallery - ajax.php source Parameter Reflected XSS

The dzs-videogallery WordPress plugin was affected by an ajax.php source Parameter Reflected XSS security vulnerability...

VulnCheck KEV: CVE-2011-4106

TimThumb timthumb.php before 2.0 does not validate the entire source with the domain white list, which allows remote attackers to upload and execute arbitrary code via a URL containing a white-listed domain in the src parameter, then accessing it via a direct request to the file in the cache...

Cross site scripting

Cross-site scripting XSS vulnerability in the Report Viewer Control in Microsoft Visual Studio 2005 SP1 and Report Viewer 2005 SP1 allows remote attackers to inject arbitrary web script or HTML via a parameter in a data source, aka "Report Viewer Controls XSS Vulnerability."...

Microsoft SharePoint Cross Site Scripting Vulnerability

This host is running Microsoft SharePoint Server and is prone to Cross Site Scripting vulnerability. OpenVAS Vulnerability Test $Id: gbmssharepointxssvuln.nasl 5323 2017-02-17 08:49:23Z teissa $ Microsoft SharePoint Cross Site Scripting Vulnerability Authors: Antu Sanadi Copyright: Copyright c 20...