GHSA-674V-3G2W-84GX Sandbox bypass in fenom

In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCodeto bypass sandbox to execute arbitrary PHP code when disablenativefuncs is true...

CVE-2021-46433

In fenom 2.12.1 and before, there is a way in fenom/src/Fenom/Template.php function getTemplateCodeto bypass sandbox to execute arbitrary PHP code when disablenativefuncs is true...

CVE-2021-46433

CVE-2021-46433 concerns Fenom (PHP template engine) up to version 2.12.1 and earlier. The vulnerability lies in fenom/src/Fenom/Template.php, function getTemplateCode(), where a sandbox bypass can occur when disable_native_funcs is true, enabling arbitrary PHP code execution. Public records acros...

CVE-2020-21654

Affected software: emlog v6.0. Vulnerability: A flaw in the admin\template.php component allows an attacker to obtain a shell by crafting a malicious ZIP file. This is linked to improper validation of uploaded ZIPs. Impact: Remote code execution with high severity potential due to arbitrary shell...

CVE-2020-21654

emlog v6.0 contains a vulnerability in the component admin\template.php, which allows attackers to getshell via a crafted Zip file...

Information Disclosure

johnpbloch/wordpress-core is vulnerable to information disclosure. The vulnerability exists in the getcommentexcerpt function in comment-template.php because the comments from password-protected non-public posts and pages are not restricted from viewing under certain conditions...

CVE-2020-12639

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php...

Cross site scripting

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php...

CVE-2020-12639

phpList before 3.5.3 allows XSS, with resultant privilege elevation, via lists/admin/template.php...

CVE-2020-10578

An arbitrary file read vulnerability exists in system/controller/backend/template.php in QCMS v3.0.1...

CVE-2020-10495

CSRF in admin/edit-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to edit an article template, given the id, via a crafted request...

CVE-2020-10409

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/edit-template.php by adding a question mark ? followed by the payload...

CVE-2020-10398

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/add-template.php by adding a question mark ? followed by the payload...

Cross site scripting

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/edit-template.php by adding a question mark ? followed by the payload...

Cross site scripting

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/add-template.php by adding a question mark ? followed by the payload...

Cross site request forgery (csrf)

CSRF in admin/add-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new article template via a crafted request...

CVE-2020-10495

CVE-2020-10495 is a CSRF vulnerability affecting Chadha PHPKB Standard Multi-Language 9. Assaults can edit an article template via crafted requests to admin/edit-template.php (requires id). Root cause is a CSRF weakness in the web application’s handling of template edits. The NVD entry lists a CV...

CVE-2020-10482

The connected documents confirm CVE-2020-10482 affects Chadha PHPKB Standard Multi-Language version 9, via a CSRF weakness in admin/add-template.php that lets an attacker add a new article template with a crafted request. The vulnerability stems from insufficient CSRF protection in that endpoint....

CVE-2020-10482

CSRF in admin/add-template.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new article template via a crafted request...

WordPress 3.7.x < 3.7.24 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - wp-admin/user-new.php sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access...