CVE-2025-41011 HTML injection in PHP Point Of Sale

HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specificcustomer', ussing 'startdateformatted' y 'enddateformatted'...

CVE-2025-41011

CVE-2025-41011 — HTML injection in PHP Point of Sale v19.4 due to insufficient input validation in the /reports/generate/specific_customer endpoint (parameters: start_date_formatted, end_date_formatted). This allows rendering HTML in the victim’s browser. CVSS 4.0: Attack vector NETWORK; attack c...

PT-2026-33990

Name of the Vulnerable Software and Affected Versions PHP Point of Sale version 19.4 Description An issue exists where a lack of proper validation of user input allows an attacker to render HTML in the victim's browser. This occurs when sending a request to the endpoint '/reports/generate/specifi...

CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

MailEnable StartDate Parameter Cross-Site Scripting Vulnerability

MailEnable is a Windows-based business email server. A cross-site scripting vulnerability exists in the MailEnable StartDate parameter, which stems from improper cleanup of the StartDate parameter in the FreeBusy.aspx form in the Webmail interface, and can be exploited by an attacker to execute...

EUVD-2016-10794

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting XSS via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a...

CVE-2016-15051

Nagios XI

PT-2025-44539

Nagios XI versions prior to 5.2.4 are vulnerable to cross-site scripting XSS via the Reports interface through values from the startdate and enddate fields. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a...

Nagios XI 安全漏洞

Nagios XI is a suite of IT infrastructure monitoring solutions from US-based Nagios. The solution supports monitoring and alerting of applications, services, operating systems and more. A security vulnerability exists in Nagios XI versions prior to 5.2.4, which stems from insufficient validation ...

Service Provider Migration to Unified Veeam Data Cloud FAQ

Below are the most commonly asked questions. What is changing with my Veeam Data Cloud for Microsoft 365 experience? Veeam is transitioning Veeam Cloud Service Providers VCSPs and their customers to Veeam Data Cloud, a unified multi-workload interface. This new experience allows you to manage...

CVE-2025-10099

A weakness has been identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/educarusuariocad.php of the component Editar usuário Page. This manipulation of the argument email/datainicial/dataexpiracao causes cross site...

CVE-2023-4471

The Order Tracking Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the startdate and enddate parameters in versions up to, and including, 3.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-1841

A vulnerability classified as critical has been found in ESAFENET CDG 5.6.3.154.205. This affects an unknown part of the file /CDGServer3/logManagement/ClientSortLog.jsp. The manipulation of the argument startDate/endDate leads to sql injection. It is possible to initiate the attack remotely. The...

WordPress plugin FlickRocket 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. WordPress plugin FlickRocke...

PT-2025-1646 · WordPress · Store Credit / Gift Cards For Woocommerce

Name of the Vulnerable Software and Affected Versions: Store credit / Gift cards for woocommerce plugin for WordPress versions up to, and including, 1.0.49.46 Description: The issue is related to Reflected Cross-Site Scripting via the coupon, start date, and end date parameters due to insufficien...

PT-2025-1848 · WordPress · Woocommerce Digital Content Delivery (Incl. Drm) – Flickrocket Plugin

Name of the Vulnerable Software and Affected Versions: WooCommerce Digital Content Delivery incl. DRM – FlickRocket plugin for WordPress versions up to, and including, 4.74 Description: The issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers t...

Failed to execute cmdlet "Export-LogReportCsv"

While running cmdlet "Export-LogReportCsv" and setting parameter "StartDateRange" before two weeks or more, "The remote server returned an unexpected response: 502 Bad Gateway" error may show as below. ----------- Export-LogReportCsv -OutputFile "C:\temp\CitrixConfigLog.csv" -StartDateRange...

PT-2024-11983 · Unknown · Sourcecodester Oretnom23 Employee'S Payroll Management System

Name of the Vulnerable Software and Affected Versions: sourcecodester oretnom23 employee's payroll management system version 1.0 Description: The issue allows attackers to execute arbitrary code via the code, title, from date, and to date inputs in the file Main.php. This is a Cross Site Scriptin...

Prison Management System 跨站脚本漏洞

Prison Management System is a prison management system by the individual developer Carlo Montero. A cross-site scripting vulnerability exists in SourceCodester Prison Management System version 1.0, which stems from a cross-site scripting XSS vulnerability in the parameters txtstartdate/txttenddat...

CVE-2023-47037 Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access)

We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have the...