Lucene search

K

9 matches found

CVE
CVE
added 2024/04/03 3:15 a.m.93 views

CVE-2024-24724

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

9.8CVSS7.7AI score0.21959EPSS
CVE
CVE
added 2024/03/23 11:15 p.m.89 views

CVE-2024-24725

Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.

8.8CVSS6.4AI score0.77638EPSS
CVE
CVE
added 2023/11/14 6:15 a.m.84 views

CVE-2023-45878

GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set...

9.8CVSS9.7AI score0.93068EPSS
CVE
CVE
added 2022/05/25 4:15 p.m.64 views

CVE-2022-27305

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.

8.8CVSS8.6AI score0.00374EPSS
CVE
CVE
added 2024/11/21 7:15 p.m.40 views

CVE-2024-51337

Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php.

3.5CVSS6.2AI score0.00266EPSS
CVE
CVE
added 2025/05/27 4:15 a.m.33 views

CVE-2025-26211

Gibbon before 29.0.00 allows CSRF.

8.8CVSS7AI score0.00022EPSS
CVE
CVE
added 2023/11/14 6:15 a.m.24 views

CVE-2023-45879

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

5.4CVSS5.6AI score0.00231EPSS
CVE
CVE
added 2023/11/14 6:15 a.m.18 views

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads direc...

7.2CVSS6.9AI score0.0043EPSS
CVE
CVE
added 2023/11/14 6:15 a.m.18 views

CVE-2023-45881

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

6.1CVSS6.2AI score0.00201EPSS