Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-40105: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.

CVE

Related news

CVE-2021-43140: GitHub - Dir0x/CVE-2021-43140: SQL injection vulnerability in login exists in Sourcecodester Simple Subscription Website.

SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.

CVE-2021-43141: GitHub - Dir0x/CVE-2021-43141: Information about CVE-2021-43141, a reflected XSS in the plan_application section.

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.

CVE-2020-23109: Heap overflow in heif_colorconversion.cc:2263 · Issue #207 · strukturag/libheif

Buffer overflow vulnerability in function convert_colorspace in heif_colorconversion.cc in libheif v1.6.2, allows attackers to cause a denial of service and disclose sensitive information, via a crafted HEIF file.

CVE-2021-27644: Pony Mail!

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVE-2021-27644

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVE-2021-41728: GitHub - Dir0x/CVE-2021-41728: Information about CVE-2021-41728, a reflected XSS in the search function.

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester News247 CMS 1.0 via the search function in articles.

WordPress 4.9.6 Arbitrary File Deletion

WordPress version 4.9.6 arbitrary file deletion exploit. Original discovery of this vulnerability is attributed to VulnSpy in June of 2018.

CVE-2020-28969

Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.

CVE-2021-36387: Yellowfin-Multiple-Vulnerabilities/README.md at main · cyberaz0r/Yellowfin-Multiple-Vulnerabilities

In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".

CVE-2021-36388: Yellowfin-Multiple-Vulnerabilities/README.md at main · cyberaz0r/Yellowfin-Multiple-Vulnerabilities

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

CVE-2021-22535: Potential information disclosure vulnerability (CVE-2021-22535)

Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure.

CVE-2021-40106: 8.5.6 Release Notes :: Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.

CVE-2021-40097: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.

CVE-2021-40104: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.

CVE-2021-40103: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.

CVE-2021-40099: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.

CVE-2021-40100: 8.5.6 Release Notes :: Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.

CVE-2021-36872: wordpress-popular-posts/changelog.md at master · cabrerahector/wordpress-popular-posts

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). Vulnerable at &widget-wpp[2][post_type].

CVE-2021-22953: HackerOne

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"

CVE-2021-22949: HackerOne

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"

CVE-2021-22950: 8.5.6 Release Notes :: Concrete CMS

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"

CVE-2020-19915: wuzhicms v4.1.0 persistent xss vulnerability

Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the [mailbox username in index.php.

CVE-2020-21048: Release v1.8.4 security update · saitoha/libsixel

An issue in the dither.c component of libsixel prior to v1.8.4 allows attackers to cause a denial of service (DOS) via a crafted PNG file.

CVE-2020-21049: Release v1.8.5 security update · saitoha/libsixel

An invalid read in the stb_image.h component of libsixel prior to v1.8.5 allows attackers to cause a denial of service (DOS) via a crafted PSD file.

CVE-2020-14389: Invalid Bug ID

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907