4143 matches found
Copyparty <= 1.8.2 - Directory Traversal
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the .cpr subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This...
JeecgBoot 3.5.0 - SQL Injection
jeecg-boot 3.5.0 and 3.5.1 have a SQL injection vulnerability the id parameter of the /jeecg-boot/jmreport/show interface. id: CVE-2023-34659 info: name: JeecgBoot 3.5.0 - SQL Injection author: ritikchaddha severity: critical description: | jeecg-boot 3.5.0 and 3.5.1 have a SQL injection...
MLflow Absolute Path Traversal
Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. id: CVE-2023-3765 info: name: MLflow Absolute Path Traversal author: DhiyaneshDK severity: critical description: | Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0. impact: | This vulnerability can...
Dahua Smart Park Management - Arbitrary File Upload
Dahua wisdom park integrated management platform is a comprehensive management platform, a park operations,resource allocation, and intelligence services,and other functions, including/emap/devicePointaddImgIco?. id: CVE-2023-3836 info: name: Dahua Smart Park Management - Arbitrary File Upload...
mooDating 1.2 - Cross-site scripting
A vulnerability was found in mooSocial mooDating 1.2. It has been classified as problematic. Affected is an unknown function of the file /matchmakings/question of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-235194 is...
IceWarp Webmail Server v10.2.1 - Cross Site Scripting
Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting XSS vulnerability via the color parameter. id: CVE-2023-37728 info: name: IceWarp Webmail Server v10.2.1 - Cross Site Scripting author: technicaljunkie,r3Y3r53 severity: medium description: | Icewarp Icearp v10.2.1 was...
Old Age Home Management System v1.0 - SQL Injection
Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. id: CVE-2023-33338 info: name: Old Age Home Management System v1.0 - SQL Injection author: Harsh severity: critical description: | Old Age Home Management 1.0 is vulnerable to SQL Injection via the username...
Dolibarr Unauthenticated Contacts Database Theft
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. id: CVE-2023-33568 info: name: Dolibarr Unauthenticated Contacts Database Theft...
H3C Magic R300-2100M - Remote Code Execution
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. id: CVE-2023-33629 info: name: H3C Magic R300-2100M - Remote Code Execution author: DhiyaneshDK severity: high description: | H3C Magic R300 version...
Faculty Evaluation System v1.0 - SQL Injection
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/managetask.php?id= id: CVE-2023-33439 info: name: Faculty Evaluation System v1.0 - SQL Injection author: Harsh severity: high description: | Sourcecodester Faculty Evaluation System v1.0 is vulnerable to...
AudioCodes Device Manager Express - SQL Injection
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the processlogin.php login form. id: CVE-2022-24627 info: name: AudioCodes Device Manager Express - SQL Injection author: geeknik severity: critical...
Academy LMS 6.2 - Cross-Site Scripting
A vulnerability was found in Academy LMS 6.2 on Windows. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument...
WordPress Plugin LayerSlider 7.9.11-7.10.0 - SQL Injection
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the lsgetpopupmarkup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated...
OpenEMR < 7.0.1 - Cross-site Scripting
Cross-site Scripting XSS - Reflected in GitHub repository openemr/openemr prior to 7.0.1. id: CVE-2023-2949 info: name: OpenEMR 7.0.1 - Cross-site Scripting author: ritikchaddha,princechaddha severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository openemr/openemr...
Coda v.2024Q1 - Cross-Site Scripting
Cross Site Scripting vulnerability in Unit4 Financials by Coda v.2024Q1 allows a remote attacker to escalate privileges via a crafted script to the cols parameter. id: CVE-2024-28734 info: name: Coda v.2024Q1 - Cross-Site Scripting author: s4e-io severity: medium description: | Cross Site Scripti...
NagiosXI <= 5.4.12 menuaccess.php - SQL injection
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter. id: CVE-2018-10738 info: name: NagiosXI = 5.4.12 menuaccess.php - SQL injection author: DhiyaneshDk severity: high description: | A SQL injection issue was discovered in Nagios XI befor...
Joomla! Component PrayerCenter 3.0.2 - SQL Injection
SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429. id: CVE-2018-7314 info: name: Joomla! Component PrayerCenter 3.0.2 - SQL Injection author: DhiyaneshDK severity: critical description: | SQL Injection...
Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection
SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request. id: CVE-2018-6605 info: name: Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection author: DhiyaneshDk severity...
MooDating 1.2 - Cross-site scripting
A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. id: CVE-2023-3848...
MooDating 1.2 - Cross-Site Scripting
A vulnerability was found in mooSocial mooDating 1.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /friends/ajaxinvite of the component URL Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. id:...
Ninja Forms < 3.6.26 - Cross-Site Scripting
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin id: CVE-2023-37979 info: name: Ninja Forms 3.6.26 - Cross-Site Scripting author: r3Y3r53 severity:...
MooDating 1.2 - Cross-Site scripting
A vulnerability classified as problematic was found in mooSocial mooDating 1.2. This vulnerability affects unknown code of the file /users of the component URL Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. id: CVE-2023-3847 info: name: MooDating 1....
CopyParty v1.8.6 - Cross Site Scripting
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting XSS Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link...
MooDating 1.2 - Cross-Site Scripting
A vulnerability was found in mooSocial mooDating 1.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /friends of the component URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. id:...
Online Piggery Management System v1.0 - Unauthenticated File Upload
Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to add-pig.php. id: CVE-2023-37629 info: name: Online Piggery Management System v1.0 - Unauthenticated File Upload author: Harsh severity: critical descriptio...
rConfig 3.9.4 - Server-Side Request Forgery
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the pathb parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. id: CVE-2023-39108 info: name: rConf...
MooDating 1.2 - Cross-Site Scripting
A vulnerability classified as problematic has been found in mooSocial mooDating 1.2. This affects an unknown part of the file /pages of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. id: CVE-2023-3846 info: name: MooDatin...
rConfig 3.9.4 - Server-Side Request Forgery
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the patha parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. id: CVE-2023-39109 info: name: rConf...
Cacti 1.2.24 - SQL Injection
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graphview.php. Since guest users can access graphview.php without authentication by default, if guest users are being utilized in an enabled state, there...
mooDating 1.2 - Cross-site scripting
A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. id: CVE-2023-3849 info:...
rConfig 3.9.4 - Server-Side Request Forgery
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. id: CVE-2023-39110 info: name: rConfig 3.9.4 - Server-Side...
Rukovoditel <= 3.2.1 - Cross-Site Scripting
A stored cross-site scripting XSS vulnerability in the Global Lists feature /index.php?module=globallists/lists of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". id:...
RPCMS 3.0.2 - Cross-Site Scripting
RPCMS 3.0.2 contains a cross-site scripting vulnerability in the Search function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other...
Welcart eCommerce <=2.7.7 - Local File Inclusion
Welcart eCommerce 2.7.7 and before are vulnerable to unauthenticated local file inclusion. id: CVE-2022-41840 info: name: Welcart eCommerce =2.7.8 or apply the provided patch to fix the LFI vulnerability. reference: -...
ServiceNow - Cross-site Scripting
A XSS vulnerability was identified in the ServiceNow UI page assessmentredirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks,...
Tenda AC1200 V-W15Ev2 - Authentication Bypass
The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The...
WordPress IWS Geo Form Fields <=1.0 - SQL Injection
WordPress IWS Geo Form Fields plugin through 1.0 contains a SQL injection vulnerability. The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data,...
WordPress Welcart e-Commerce <2.8.5 - Arbitrary File Access
WordPress Welcart e-Commerce plugin before 2.8.5 is susceptible to arbitrary file access. The plugin does not validate user input before using it to output the content of a file, which can allow an attacker to read arbitrary files on the server, obtain sensitive information, modify data, and/or...
PDF Generator for WordPress < 1.1.2 - Cross Site Scripting
The plugin includes a vendored dompdf example file which is susceptible to Reflected Cross-Site Scripting and could be used against high privilege users such as admin id: CVE-2022-4321 info: name: PDF Generator for WordPress 1.1.2 - Cross Site Scripting author: r3Y3r53,HuTa0 severity: medium...
WordPress Pie Register <3.8.2.3 - Open Redirect
WordPress Pie Register plugin before 3.8.2.3 contains an open redirect vulnerability. The plugin does not properly validate the redirection URL when logging in and login out. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute...
Rukovoditel <= 3.2.1 - Cross Site Scripting
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Add Announcement function at /index.php?module=helppages/pages&entitiesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...
WebTareas 2.4p5 - SQL Injection
webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php. id: CVE-2022-44290 info: name: WebTareas 2.4p5 - SQL Injection author: theamanrawat severity: critical description: | webTareas 2.4p5 was discovered to contain a SQL injection...
CandidATS 3.0.0 - Cross-Site Scripting
CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...
CandidATS 3.0.0 - Cross-Site Scripting.
CandidATS 3.0.0 contains a cross-site scripting vulnerability via the sortBy parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...
Backdrop CMS version 1.23.0 - Stored Cross Site Scripting
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the 'Card' content. id: CVE-2022-42094 info: name: Backdrop CMS version 1.23.0 - Stored Cross Site Scripting author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 w...
OpenCATS 0.9.6 - Cross-Site Scripting
OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the callback component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch othe...
OpenCATS 0.9.6 - Cross-Site Scripting
OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the joborderID parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch...
Rukovoditel <= 3.2.1 - Cross-Site Scripting
A stored cross-site scripting XSS vulnerability in the Users Access Groups feature /index.php?module=usersgroups/usersgroups of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New...
WordPress Events Calendar <1.4.5 - Cross-Site Scripting
WordPress Events Calendar plugin before 1.4.5 contains multiple cross-site scripting vulnerabilities. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the...
CandidATS 3.0.0 - Cross-Site Scripting.
CandidATS 3.0.0 contains a cross-site scripting vulnerability via the indexFile parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...