Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-14389: Invalid Bug ID

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

CVE

Related news

CVE-2021-43140: GitHub - Dir0x/CVE-2021-43140: SQL injection vulnerability in login exists in Sourcecodester Simple Subscription Website.

SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the login.

CVE-2021-43141: GitHub - Dir0x/CVE-2021-43141: Information about CVE-2021-43141, a reflected XSS in the plan_application section.

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.

CVE-2021-27644: Pony Mail!

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVE-2021-27644

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVE-2021-41728: GitHub - Dir0x/CVE-2021-41728: Information about CVE-2021-41728, a reflected XSS in the search function.

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester News247 CMS 1.0 via the search function in articles.

CVE-2021-36388: Yellowfin-Multiple-Vulnerabilities/README.md at main · cyberaz0r/Yellowfin-Multiple-Vulnerabilities

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

CVE-2021-36387: Yellowfin-Multiple-Vulnerabilities/README.md at main · cyberaz0r/Yellowfin-Multiple-Vulnerabilities

In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".

CVE-2021-40105: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.

CVE-2021-40106: 8.5.6 Release Notes :: Concrete CMS

An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.

CVE-2021-40097: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.

CVE-2021-40104: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.

CVE-2021-40099: HackerOne

An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.

CVE-2021-36872: wordpress-popular-posts/changelog.md at master · cabrerahector/wordpress-popular-posts

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). Vulnerable at &widget-wpp[2][post_type].

CVE-2020-19915: wuzhicms v4.1.0 persistent xss vulnerability

Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the [mailbox username in index.php.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907