Host Header Injection

pimcore/admin-ui-classic-bundle is vulnerable to Host Header Injection. The vulnerability is caused due to unsafely using the host header from incoming HTTP requests when generating URLs in the function invitationLinkAction within UserController.php , specifically in the way $loginUrl trusts user...

ThinkCMF Cross-site Scripting Vulnerability

Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...

Cross site scripting

Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...

ThinkCMF 跨站脚本漏洞

ThinkCMF is a CMS Content Management System based on ThinkPHP. A cross-site scripting vulnerability exists in ThinkCMF version 5.1.5, which stems from the lack of effective filtering and escaping of user-supplied data in the file UserController.php, and can be exploited by an attacker to execute...

CVE-2020-25915

Cross Site Scripting XSS vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted userlogin...

Privilege Escalation

pimcore/pimcore is vulnerable to Privilege Escalation . The vulnerability exits due to faulty logic in the updateAction function of UserController.php, which allows a low level user to elevate their privileges to an admin...

Unrestricted File Upload

pimcore/pimcore is vulnerable to Unrestricted File Upload. The vulnerability exists in the uploadImageAction function in UserController.php because the file type of the avatar is not properly checked when uploading which allows an attacker to upload arbitrary files into the system, and execute...

Sql injection

CrashFix 1.0.4 has SQL Injection via the Userstatus parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search function...

CVE-2018-20508

CrashFix 1.0.4 has SQL Injection via the Userstatus parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search function...

CVE-2018-20508

CVE-2018-20508 affects CrashFix 1.0.4 with a SQL Injection vulnerability exploitable via the User[status] parameter. The issue is tied to actionIndex in UserController.php and the protected\models\User.php search() function. The connected documents confirm the vulnerability detail but do not prov...

CVE-2018-20508

CrashFix 1.0.4 has SQL Injection via the Userstatus parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search function...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Newscoop 4.x through 4.1.0 allow remote attackers to inject arbitrary web script or HTML via vectors involving the 1 language parameter to application/modules/admin/controllers/LanguagesController.php or 2 user parameter to...

Wolf CMS 0.6.0b Cross Site Request Forgery / Cross Site Scripting

==================================== Vulnerability ID: HTB22680 Reference: http://www.htbridge.ch/advisory/xssvulnerabilityinwolfcms2.html Product: Wolf CMS Vendor: Wolf CMS team http://www.wolfcms.org/ Vulnerable Version: 0.6.0b and probably prior versions Vendor Notification: 09 November 2010...

Wolf CMS 0.6.0b - Multiple Vulnerabilities

Vulnerability ID: HTB22681 Reference: http://www.htbridge.ch/advisory/xsrfcsrfinwolfcms.html Product: Wolf CMS Vendor: Wolf CMS team http://www.wolfcms.org/ Vulnerable Version: 0.6.0b and probably prior versions Vendor Notification: 09 November 2010 Vulnerability Type: CSRF Cross-Site Request...