Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-15940: PSIRT Advisories | FortiGuard

An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server.

CVE
#vulnerability

Related news

CVE-2021-43264: Bug #1944979 “Path traversal leads to unauthenticated HTML file ...” : Bugs : Mahara

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, adjusting the path component for the page help file allows attackers to bypass the intended access control for HTML files via directory traversal. It replaces the - character with the / character.

CVE-2021-41023: PSIRT Advisories | FortiGuard

A unprotected storage of credentials in Fortinet FortiSIEM Windows Agent version 4.1.4 and below allows an authenticated user to disclosure agent password due to plaintext credential storage in log files

CVE-2021-42754: PSIRT Advisories | FortiGuard

An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious dylib file.

CVE-2020-23685: 118jianzhan v2.10 /Admin/login.php sql injection vulnerability · Issue #2 · vtime-tech/188Jianzhan

SQL Injection vulnerability in 188Jianzhan v2.1.0, allows attackers to execute arbitrary code and gain escalated privileges, via the username parameter to login.php.

CVE-2021-26739: There is a sqli vulnerability in pay.php,No admin user login required · Issue #5 · millken/doyocms

SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter.

CVE-2021-41746: SQL injection · Issue #1 · purple-WL/Yonyou-TurboCRM-SQL-injection

SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.

CVE-2021-41675: 0dayHunt/E-Negosyo-Authenticated-RCE.py at main · janikwehrli1/0dayHunt

A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the doInsert function, which validates images with getImageSizei. .

CVE-2021-41920: webTareas 2.4 - Multiple Vulnerabilities

webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sor_cible, sor_champs, and sor_ordre HTTP POST parameters. This allows an attacker to access all the data in the database and obtain access to the webTareas application.

CVE-2021-24021: PSIRT Advisories | FortiGuard

An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks.

CVE-2021-36178: PSIRT Advisories | FortiGuard

A insufficiently protected credentials in Fortinet FortiSDNConnector version 1.1.7 and below allows attacker to disclose third-party devices credential information via configuration page lookup.

CVE-2020-15941: FortiGuard

A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.

CVE-2020-15941: PSIRT Advisories | FortiGuard

A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.

CVE-2021-36175: PSIRT Advisories | FortiGuard

An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.

CVE-2021-36875: WordPress uListing plugin <= 2.0.5 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated Reflected Cross-Site Scripting (XSS) vulnerability in WordPress uListing plugin (versions <= 2.0.5). Vulnerable parameters: &filter[id], &filter[user], &filter[expired_date], &filter[created_date], &filter[updated_date].

CVE-2021-36880: WordPress uListing plugin <= 2.0.3 - Unauthenticated SQL Injection (SQLi) vulnerability - Patchstack

Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions <= 2.0.3), vulnerable parameter: custom.

CVE-2021-36879: WordPress uListing plugin <= 2.0.5 - Unauthenticated Privilege Escalation vulnerability - Patchstack

Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration.

CVE-2021-36874: WordPress uListing plugin <= 2.0.5 - Authenticated Insecure Direct Object References (IDOR) vulnerability - Patchstack

Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions <= 2.0.5).

CVE-2021-36873: iQ Block Country

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907