Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-25959: WhiteSource Vulnerability Database

In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting (XSS), due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance.

CVE

Related news

CVE-2021-26786: PlayTube install/index.php ReInstall with no Limit to Excute php code Vulnerability · Issue #1 · customercentric-selling-poland/playtuber

An issue was discoverered in in customercentric-selling-poland PlayTube, allows authenticated attackers to execute arbitrary code via the purchace code to the config.php.

CVE-2020-23685: 118jianzhan v2.10 /Admin/login.php sql injection vulnerability · Issue #2 · vtime-tech/188Jianzhan

SQL Injection vulnerability in 188Jianzhan v2.1.0, allows attackers to execute arbitrary code and gain escalated privileges, via the username parameter to login.php.

CVE-2020-36486: HTTP Error 404

Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.

CVE-2020-23038: HTTP Error 404

Swift File Transfer Mobile v1.1.2 and below was discovered to contain an information disclosure vulnerability in the path parameter. This vulnerability is exploited via an error caused by including non-existent path environment variables.

CVE-2021-41971: Pony Mail!

Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with a custom URL.

CVE-2021-40542: Unauthenticated Reflect Cross-site Scripting in Ajax_url_encode.php file · Issue #189 · OS4ED/openSIS-Classic

Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.

CVE-2021-25963: General: fix critical views that can be subject of XSS attacks · shuup/shuup@75714c3

In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.

CVE-2020-20696: [Security]Gila CMS v1.11.4 has xss vulnerability in the release of new posts · Issue #53 · GilaCMS/gila

A cross-site scripting (XSS) vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Tags field.

CVE-2021-40329: Ping Identity Documentation Portal

The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.

CVE-2020-19949: Cross Site Scripting Vulnerability in Latest Release V5.3 · Issue #21 · yzmcms/yzmcms

A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

CVE-2020-19950: Cross Site Scripting Vulnerability in Latest Release V5.3 · Issue #22 · yzmcms/yzmcms

A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.

CVE-2021-38338: Vulnerability Advisories - Wordfence

The Border Loading Bar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `f` and `t` parameter found in the ~/titan-framework/iframe-googlefont-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.

CVE-2021-38320: Vulnerability Advisories - Wordfence

The simpleSAMLphp Authentication WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.0.

CVE-2021-38319: Vulnerability Advisories - Wordfence

The More From Google WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/morefromgoogle.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.

CVE-2021-38714: PLIB / Bugs / #55 integer overflow for maliciously crafted tga file

In Plib through 1.85, there is an integer overflow vulnerability that could result in arbitrary code execution. The vulnerability is found in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx file.

HiveNightmare

The security account manager (SAM) file contains the password hashes of the users on a Windows system. Since it is considered a sensitive file SYSTEM… Continue reading → HiveNightmare

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907