1037 matches found
CVE-2024-39903
Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI...
CVE-2024-39903 Local File Inclusion in Solara
Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI...
CVE-2024-22168
A Cross-Site Scripting XSS vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry...
CVE-2024-22168 Cross-Site Scripting (XSS) vulnerability on Western Digital My Cloud and SanDisk ibi Web Apps
A Cross-Site Scripting XSS vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry...
CVE-2024-22168 Cross-Site Scripting (XSS) vulnerability on Western Digital My Cloud and SanDisk ibi Web Apps
A Cross-Site Scripting XSS vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry...
CVE-2024-32986 Arbitrary code execution due to improper sanitization of web app properties in PWAsForFirefox
PWAsForFirefox is a tool to install, manage and use Progressive Web Apps PWAs in Mozilla Firefox. Due to improper sanitization of web app properties such as name, description, shortcuts, web apps were able to inject additional lines into XDG Desktop Entries on Linux and AppInfo.ini on...
Oracle Application Testing Suite (April 2024 CPU)
The versions of Oracle Application Testing Suite installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory: - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager component: Load Testing for Web Apps...
SISQUALWFM 7.1.319.103 - Host Header Injection Vulnerability
Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection Discovered Date: 17/03/2023 Reported Date: 17/03/2023 Resolved Date: 13/10/2023 Exploit Author: Omer Shaik unknownexploit Vendor Homepage: https://www.sisqualwfm.com Version: 7.1.319.103 Tested on: SISQUAL WFM 7.1.319.103 Affected Versio...
SISQUAL WFM 7.1.319.103 Host Header Injection Vulnerability
Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection Exploit Author: Omer Shaik unknownexploit Vendor Homepage: https://www.sisqualwfm.com Version: 7.1.319.103 Tested on: SISQUAL WFM 7.1.319.103 Affected Version: sisqualWFM - 7.1.319.103 Fixed Version: sisqualWFM - 7.1.319.111 CVE :...
CVE-2024-24573
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...
Design/Logic Flaw
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...
Sql injection
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $REQUEST global array was unsafely called inside an extract function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $SESSION via the GET/POST parameters...
Input validation
facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient input validation...
CVE-2024-24573 facileManager Privilege Escalation via Mass Assignment
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...
CVE-2024-24572
facileManager is a modular web app. In versions ≤4.5.0, admin-logs.php calls extract() on $_REQUEST, allowing an authenticated user (with site-log viewing privileges) to append GET parameter search_sql and bypass injection protections, enabling SQL injection from manipulated search_sql.
CVE-2024-24572 facileManager Authenticated Variable Manipulation leading to SQL Injection
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $REQUEST global array was unsafely called inside an extract function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $SESSION via the GET/POST parameters...
CVE-2024-24572 facileManager Authenticated Variable Manipulation leading to SQL Injection
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $REQUEST global array was unsafely called inside an extract function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $SESSION via the GET/POST parameters...
CVE-2024-24572 facileManager Authenticated Variable Manipulation leading to SQL Injection
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $REQUEST global array was unsafely called inside an extract function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $SESSION via the GET/POST parameters...
Super Progressive Web Apps < 2.2.22 - Missing Authorization
Description The Super Progressive Web Apps plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the superpwanewslettersubmit function hooked via a nopriv AJAX action in versions up to, and including, 2.2.21. This makes it possible for...
Oracle Application Testing Suite DoS (October 2023 CPU)
The version of Oracle Application Testing Suite installed on the remote host is affected by a denial of service vulnerability as referenced in the October 2023 CPU advisory: - Vulnerability in the Oracle Application Testing Suite product of Oracle Enterprise Manager component: Load Testing for We...