EUVD-2015-5680

Malware in sbrugna...

GHSA-7W95-QWHH-Q9P3 Magento Path Traversal vulnerability via the `theme[preview_image]` parameter

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by a Path Traversal vulnerability via the themepreviewimage parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution...

Magento Path Traversal vulnerability via the `theme[preview_image]` parameter

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by a Path Traversal vulnerability via the themepreviewimage parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution...

CVE-2021-29484 DOM XSS in Theme Preview

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and m...

Shopify: Reflected XSS in <any>.myshopify.com through theme preview

Hi, I have found a reflected cross site scripting vulnerability in .myshopify.com through themehanlde parameter due to not single quotes. Steps to reproduce: 1. Navigate to .myshopify.com 2. view the source of the page and copy the value of Shopify.theme Id. 3. Navigate to...

DEBIAN-CVE-2015-5734

Cross-site scripting XSS vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string...

CVE-2015-5734

Cross-site scripting XSS vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string...

CVE-2015-5734

Cross-site scripting XSS vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string...

CVE-2015-5734

WordPress 4.2.4 patch fixes CVE-2015-5734: XSS in the legacy theme preview (wp-includes/theme.php) that allowed remote injection via a crafted string. Affected: WordPress prior to 4.2.4. Impact noted as cross-site scripting; remediation is upgrading to WordPress 4.2.4 (security release). Exploita...

CVE-2015-5734

Cross-site scripting XSS vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string...

[SECURITY] [DLA 294-1] wordpress security update

Package : wordpress Version : 3.6.1+dfsg-1deb6u7 CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5731 CVE-2015-5732 CVE-2015-5734 Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site...

Concrete CMS: XSS in Theme Preview Tools File

https://github.com/concrete5/concrete5/blob/master/web/concrete/tools/themes/preview.phpL7 Note that one of those values near the end is not escaped...