GO-2024-3182 OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu...

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. Workarounds Check that you are not using sensitive...

GHSA-WPR2-J6GR-PJW9 OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. Workarounds Check that you are not using sensitive...

CVE-2022-43234

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2022-43234

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file...

Design/Logic Flaw

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2022-43234

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2022-43234

CVE-2022-43234 affects Hoosk v1.8, with an arbitrary file upload vulnerability in the "/attachments" component that allows remote code execution via a crafted PHP file. The root cause is insufficient validation of uploaded files, enabling an attacker to upload and execute arbitrary code. Multiple...

CVE-2022-43234

An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file...

Code injection

phpshe V1.8 is affected by a denial of service DoS attack in the registry's verification code, which can paralyze the target service...

CVE-2022-24132

phpshe V1.8 is affected by a denial of service DoS attack in the registry's verification code, which can paralyze the target service...

CVE-2022-22115

The CVE-2022-22115 entry concerns Teedy (open-source document management). The vulnerability is a Stored XSS flaw in the name of a created Tag, caused by improper sanitization on the Edit Tag page. A low-privileged attacker can store malicious scripts in a Tag name, with potential impact to a hig...

CVE-2021-37393

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...

Design/Logic Flaw

In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration...

Cross site scripting

In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user will trigger the...

CVE-2021-37394

RPCMS (v1.8 and earlier) contains an API-level flaw that allows attackers to alter the user role parameter to admin via the API, enabling admin account registration. The connected sources consistently describe this as a role-parameter manipulation vulnerability affecting RPCMS v1.8 and below, lea...

CVE-2021-27308

A cross-site scripting XSS vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter...

CVE-2021-27308

A cross-site scripting XSS vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter...

CVE-2021-27308

CVE-2021-27308 concerns 4images v1.8 with a cross-site scripting (XSS) in the admin login panel, exploitable via the redirect parameter. The underlying issue is insufficient input handling on the redirect field, allowing an attacker to inject JavaScript. Documents also reference public exploits/e...

Nexos - Real Estate < 1.8 - Unauthenticated Reflected XSS & SQL Injection

Unauthenticated Reflected XSS and SQL Injection vulnerabilities were discovered in the «Nexos - Real Estate WordPress Theme», tested version — v1.7. June 17th, 2020 - Confirmed & Escalated to Envato. June 19th, 2020 - v1.8 released. Fixing the issues. PoC PoC Unauthenticated Reflected XSS:...