Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-24986: HackerOne

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.

CVE

Related news

CVE-2021-33816: Security Advisory 2106-01 - Trovent Security GmbH

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

CVE-2021-41772: [security] Go 1.17.3 and Go 1.16.10 are released

Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field.

CVE-2021-41566: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad TadTools - Arbitrary File Upload

The file extension of the TadTools file upload function fails to filter, thus remote attackers can upload any types of files and execute arbitrary code without logging in.

CVE-2021-39404: GitHub - mari0x00/MaianAffiliate-Code-execution-and-XSS

MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database.

CVE-2020-19553: Stored Cross-Scripting Vulnerability Vulnerability in WUZHI CMS <=4.1.0 · Issue #179 · wuzhicms/wuzhicms

Cross Site Scripting (XSS) vlnerability exists in WUZHI CMS up to and including 4.1.0 in the config function in coreframe/app/attachment/libs/class/ckditor.class.php.

CVE-2021-39548: Segmentation fault in frame_decoder.cpp:65:35 · Issue #28 · sahaRatul/sela

An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function frame::FrameDecoder::process() located in frame_decoder.c. It allows an attacker to cause Denial of Service.

CVE-2021-39547: Segmentation fault in sample_generator.cpp:15:18 · Issue #32 · sahaRatul/sela

An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function lpc::SampleGenerator::process() located in sample_generator.cpp. It allows an attacker to cause Denial of Service.

CVE-2021-32287: A global-buffer-overflow in hevcdecoderconfigrecord.cpp:311:37 · Issue #86 · nokiatech/heif

An issue was discovered in heif through v3.6.2. A global-buffer-overflow exists in the function HevcDecoderConfigurationRecord::getPicWidth() located in hevcdecoderconfigrecord.cpp. It allows an attacker to cause code Execution.

CVE-2021-39549: Segmentation fault in wav_file.cpp:13:46 · Issue #27 · sahaRatul/sela

An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function file::WavFile::WavFile() located in wav_file.c. It allows an attacker to cause Denial of Service.

CVE-2021-32288: A global-buffer-overflow in hevcdecoderconfigrecord.cpp:317:38 · Issue #87 · nokiatech/heif

An issue was discovered in heif through v3.6.2. A global-buffer-overflow exists in the function HevcDecoderConfigurationRecord::getPicHeight() located in hevcdecoderconfigrecord.cpp. It allows an attacker to cause code Execution.

CVE-2021-39545: Segmentation fault in rice_decoder.cpp:58:5 · Issue #31 · sahaRatul/sela

An issue was discovered in sela through 20200412. A NULL pointer dereference exists in the function rice::RiceDecoder::process() located in rice_decoder.c. It allows an attacker to cause Denial of Service.

CVE-2021-32265: A global-buffer-overflow in Ap4ByteStream.cpp:783:5 · Issue #545 · axiomatic-systems/Bento4

An issue was discovered in Bento4 through v1.6.0-637. A global-buffer-overflow exists in the function AP4_MemoryByteStream::WritePartial() located in Ap4ByteStream.cpp. It allows an attacker to cause code execution or information disclosure.

CVE-2021-40674: There are 3 SQL injections in Wuzhicms v4.1.0 background · Issue #198 · wuzhicms/wuzhicms

An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php.

CVE-2021-40669: Wuzhicms v4.1.0 /coreframe/app/promote/admin/index.php hava a SQL Injection Vulnerability · Issue #196 · wuzhicms/wuzhicms

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.

CVE-2021-40670: Wuzhicms v4.1.0 /coreframe/app/order/admin/card.php hava a SQL Injection Vulnerability · Issue #197 · wuzhicms/wuzhicms

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.

CVE-2021-40373: GitHub - maikroservice/CVE-2021-40373: CVE-2021-40373 - remote code execution

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907