57 matches found
CVE-2019-16972
In FusionPBX up to 4.5.7, the file app\contacts\contactaddresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS...
CVE-2019-16985
In FusionPBX up to v4.5.7, the file app\xmlcdr\xmlcdrdelete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system...
CVE-2019-16991
In FusionPBX up to v4.5.7, the file app\edit\filedelete.php uses an unsanitized "file" variable coming from the URL, which is reflected in HTML, leading to XSS...
EUVD-2019-7444
Malware in sbrugna...
EUVD-2021-0878
Malware in sbrugna...
EUVD-2019-17686
Malware in sbrugna...
EUVD-2019-7458
Malware in sbrugna...
EUVD-2019-7465
Malware in sbrugna...
EUVD-2019-7447
Malware in sbrugna...
CVE-2020-21054
Cross Site Scripting XSS vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\varstextarea.php...
CVE-2019-8288
Vulnerability in Online Store v1.0, Stored XSS in userview.php where adidasmemberuser variable is not sanitized...
CVE-2019-10796
rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization...
CVE-2019-16980
In FusionPBX up to v4.5.7, the file app\callbroadcast\callbroadcastedit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection...
Prototype pollution in emit function
Summary A prototype pollution in derby can crash the application, if the application author has atypical HTML templates that feed user input into an object key. Attribute keys are almost always developer-controlled, not end-user-controlled, so this shouldn't be an issue in practice for most...
OS Command Injection in sofianehamlaoui/lockdoor-framework
✍️ Description Command Injection due to unsanitized variable named algo 🕵️♂️ Proof of Concept 💥 Impact CI with the highest privilege...
Cross site scripting
Cross Site Scripting XSS vulnerability in FusionPBX 4.5.7 allows remote malicious users to inject arbitrary web script or HTML via an unsanitized "f" variable in app\vars\varstextarea.php...
CVE-2020-14042
PRODUCT NOT SUPPORTED WHEN ASSIGNED A Cross Site Scripting XSS vulnerability was found in Codiad v1.7.8 and later. The vulnerability occurs because of improper sanitization of the folder's name $path variable in components/filemanager/class.filemanager.php. NOTE: the vendor states "Codiad is no...
Cross site scripting
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $SESSION'RF'"viewtype" wasn't sanitized if it was already set. This made stored XSS possible if one opens ajaxcalls.php and uses the "view" action and places a payload in the type...
CVE-2019-16976
In FusionPBX up to 4.5.7, the file app\destinations\destinationimports.php uses an unsanitized "querystring" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS...
CVE-2019-16971
In FusionPBX up to 4.5.7, the file app\messages\messagesthread.php uses an unsanitized "contactuuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS...